ColdFusion 2021 Lockdown Guide - Adobe Inc.

Adobe ColdFusion 2021Lockdown GuideWritten by Pete Freitag, Foundeo Inc.

© 2020 Adobe Systems Incorporated and its Licensors. All Rights Reserved.

Adobe ColdFusion (2021 release) Lockdown Guide

If this guide is distributed with software that includes an end user agreement, this guide, as well as the software described init, is furnished under license and may be used or copied only in accordance with the terms of such license. Except aspermitted by any such license, no part of this guide may be reproduced, stored in a retrieval system, or transmitted, in anyform or by any means, electronic, mechanical, recording, or otherwise, without the prior written permission of AdobeSystems Incorporated. Please note that the content in this guide is protected under copyright law even if it is not distributedwith software that includes an end user license agreement.

The content of this guide is furnished for informational use only, is subject to change without notice, and should not beconstrued as a commitment by Adobe Systems Incorporated. Adobe Systems Incorporated assumes no responsibility orliability for any errors or inaccuracies that may appear in the informational content contained in this guide.

Please remember that existing artwork or images that you may want to include in your project may be protected undercopyright law. The unauthorized incorporation of such material into your new work could be a violation of the rights of thecopyright owner. Please be sure to obtain any permission required from the copyright owner. Any references to companynames in sample templates are for demonstration purposes only and are not intended to refer to any actual organization.

Adobe, the Adobe logo, Adobe Content Server, Adobe Digital Editions, and Adobe PDF are either registered trademarks ortrademarks of Adobe Systems Incorporated in the United States and/or other countries. Java is a trademark or registeredtrademark of Sun Microsystems, Inc. in the United States and other countries. Linux is the registered trademark of LinusTorvalds in the U.S. and other countries. Microsoft, Windows and Windows Server are either registered trademarks ortrademarks of Microsoft Corporation in the United States and/or other countries. Macintosh and Mac OS are trademarks ofApple Inc., registered in the U.S. and other countries. All other trademarks are the property of their respective owners.

Adobe Systems Incorporated, 345 Park Avenue, San Jose, California 95110, USA.

Notice to U.S. Government End Users. The Software and Documentation are “Commercial Items,” as that term is defined at48 C.F.R. §2.101, consisting of “Commercial Computer Software” and “Commercial Computer Software Documentation,” assuch terms are used in 48 C.F.R. §12.212 or 48 C.F.R. §227.7202, as applicable. Consistent with 48 C.F.R. §12.212 or 48 C.F.R.§§227.7202-1 through 227.7202-4, as applicable, the Commercial Computer Software and Commercial Computer SoftwareDocumentation are being licensed to U.S. Government end users (a) only as Commercial Items and (b) with only those rightsas are granted to all other end users pursuant to the terms and conditions herein. Unpublished-rights reserved under thecopyright laws of the United States.

For U.S. Government End Users, Adobe agrees to comply with all applicable equal opportunity laws including, ifappropriate, the provisions of Executive Order 11246, as amended, Section 402 of the Vietnam Era Veterans ReadjustmentAssistance Act of 1974 (38 USC 4212), and Section 503 of the Rehabilitation Act of 1973, as amended, and the regulations at 41CFR Parts 60-1 through 60-60, 60-250, and 60-741. The affirmative action clause and regulations contained in the precedingsentence shall be incorporated by reference.

https://foundeo.com/

Table of Contents1 Introduction

1.1 Default File Paths and Usernames1.2 Operating Systems and Web Servers1.3 ColdFusion Version1.4 Scope of Document1.5 Applying to Existing Installations1.6 Naming Conventions

2 ColdFusion On Windows2.1 Installation Prerequisites2.2 Install & Configure IIS2.3 Run the Windows ColdFusion Installer2.4 Install ColdFusion Hotfixes2.5 ColdFusion 2021 Lockdown Tool Pre-requisites2.6 Run the ColdFusion 2021 Server Auto-Lockdown Tool2.7 Update JVM

3 ColdFusion Package Management3.1 Package Management From a Security Perspective3.2 Listing Installed Packages3.3 Update Installed Packages3.4 Remove Unnecessary Packages

4 ColdFusion Administrator Settings4.1 Server Settings > Settings4.2 Server Settings > Request Tuning4.3 Server Settings > Caching4.4 Server Settings > Client Variables4.5 Server Settings > Memory Variables4.6 Server Settings > Mappings4.7 Server Settings > Mail4.8 Server Settings > WebSocket4.9 Server Settings > Charting4.10 Data & Services > Data Sources4.11 Data & Services > NoSQL Data Sources4.12 Data & Services > ColdFusion Collections4.13 Data & Services > Solr4.14 Data & Services > Rest Services4.15 Data & Services > PDF Service4.16 Data & Services > Cloud Credentials4.17 Data & Services > Cloud Configuration4.18 Debugging & Logging > Debug Output Settings4.19 Debugging & Logging > Developer Profile4.20 Debugging & Logging > Debugger Settings4.21 Debugging & Logging > Logging Settings4.22 Debugging & Logging > Remote Inspection Settings4.23 Event Gateways > Settings4.24 Event Gateways > Gateway Instance4.25 Security > Administrator4.26 Security > RDS4.27 Security > Sandbox Security4.28 Security > User Manager4.29 Security > Allowed IP Addresses4.30 Security > Secure Profile

ColdFusion2021LockdownGuide(2021-01-29)— Page-1of55

4.31 Security > IDP Configuration4.32 Security > SP Configuration4.33 Package Manager > Packages4.34 Package Manager > Settings

5 Additional Lockdown Measures5.1 To Configure the Builtin Web Server to bind to 127.0.0.1 only5.2 To Run the Builtin Web Server over TLS5.3 To Disable the Builtin Web Server5.4 Deny ColdFusion Write Permission to Builtin Web Server wwwroot5.5 Restrict ColdFusion File System Permissions5.6 Lockdown the ColdFusion Add-on Services5.7 Lockdown File Extensions5.8 Additional URIs to Consider Blocking5.9 Optionally Remove ASP.NET5.10 Remove ASP.NET ISAPI Filters and Handler Mappings5.11 Disable Unused Servlet Mappings5.12 Additional Tomcat Security Considerations5.13 Additional File Security Considerations5.14 Adding ClickJacking Protection5.15 Restricting HTTP Verbs5.16 Security Constraints in web.xml5.17 Limit Request Size5.18 Distributed Mode or Reverse Proxy5.19 HTTP Response Headers to improve Security

6 ColdFusion Lockdown on Linux6.1 Linux Installation Prerequisites6.2 Create a Dedicated User Account for ColdFusion6.3 ColdFusion Installation6.4 Access ColdFusion Administrator via a SSH Tunnel6.5 Install ColdFusion Hotfixes6.6 Install and Configure Apache Web Server6.7 Run the Linux ColdFusion Auto Lockdown Tool6.8 Update JVM6.9 Auditing6.10 Change umask6.11 Additional Lockdown Steps

7 Performance Monitoring Toolset Security Considerations7.1 Installing the PMT7.2 ColdFusion Server Auto Discovery7.3 PMT Datastore7.4 Run PMT and PMT Datastore as Dedicated User7.5 Update PMT JVM7.6 Configure PMT Datastore to run on localhost (if applicable)7.7 Update the PMT Software

8 API Manager Security Considerations8.1 Install API Manager8.2 Connect API Manager to IIS8.3 Run API Manager as a Dedicated User8.4 Update the API Manager JVM8.5 Update the API Manager Software

9 Patch Management Procedures10 Sources of Information

ColdFusion2021LockdownGuide(2021-01-29)— Page0of55

11 Reference Tables11.1 Tags that use /cf_scripts/ assets

12 Troubleshooting12.1 ColdFusion cannot write files under the web root12.2 Requesting a cfm results in a 404 after Lockdown tool12.3 WebSockets are not working after running lockdown tool12.4 Help Installing ColdFusion Hotfixes

13 Revision History

ColdFusion2021LockdownGuide(2021-01-29)— Page1of55

1 IntroductionThe ColdFusion 2021 Lockdown Guide is written to help server administrators secure ColdFusion 2021 installations. In this document you willfind several tips and suggestions intended to improve the security of your ColdFusion server.

IMPORTANT: The reader is strongly encouraged to test all recommendations on an isolated test environment before deployinginto production.

1.1 Default File Paths and UsernamesThis guide will provide example file system paths for installation, you should not use the same example installation paths provided in thisguide.

1.2 Operating Systems and Web ServersThis guide focuses on Windows 2019 / IIS 10, and RedHat Enterprise Linux (RHEL) 8 / Apache 2.4. Many of the suggestions presented inthis document can be extrapolated to apply to similar Operating Systems and Web Servers.

1.3 ColdFusion VersionThis guide was written for ColdFusion 2021 Enterprise Edition.

1.4 Scope of DocumentThis document does not detail security settings for the Operating System, the Web Server, Databases, or Network Firewalls. It is focused onsecurity settings for the ColdFusion server only.

All suggestions in this document should be tested and validated on a non-production environment before deploying to production.

1.5 Applying to Existing InstallationsThis guide is written from the perspective of a fresh installation. When possible consider performing a fresh installation of the operatingsystem, web server and the ColdFusion server. If an attacker has compromised the existing server in any way you should start with a freshoperating system installation on new hardware.

1.6 Naming ConventionsIn this guide we will refer to the ColdFusion installation root directory as {cf.root} it corresponds to the directory that you select wheninstalling ColdFusion. The ColdFusion instance root is referred to as {cf.instance.root} in this guide, enterprise installations mayhave multiple instances, but the default instance is {cf.root}/cfusion/

ColdFusion2021LockdownGuide(2021-01-29)—1Introduction Page2of55

2 ColdFusion On WindowsThis section covers the installation and configuration of ColdFusion 2021 on a Windows 2019 server. If you are running Linux please start atthe section 5 ColdFusion Lockdown on Linux.

In this section we will perform the following:

Installation PrerequisitesInstall & Configure IISInstall ColdFusionRun the ColdFusion Auto Lockdown ToolUpdate the JVM

2.1 Installation PrerequisitesBefore you begin the installation process please review the following:

Configure a network firewall (and / or configure Windows firewall) to block all incoming public traffic during installation.Run the Microsoft Security Compliance Toolkit Policy Analyzer: https://www.microsoft.com/en-us/download/details.aspx?id=55319and adjust settings as necessary.Create separate partitions and / or drives for ColdFusion Installation, website assets, and log files. This may reduce what can becompromised by a path traversal attack. It could also mitigate a denial of service attack that attempts to fill the main system drive.Remove or disable any software on the server that is not required.Run Windows Update and ensure all software running on the server is fully patched.Ensure that all partitions use NTFS to allow for fine grained access control and auditing.Download ColdFusion from adobe.com over HTTPS.Verify that the MD5 or SHA checksum listed on adobe.com download page matches the file you downloaded. In PowerShell you canrun Get-FileHash installer-file-name.exe -Algorithm md5 to obtain the checksum.

2.2 Install & Configure IISIMPORTANT: Before configuring IIS ensure that public traffic is blocked by your network or OS firewall. You should onlyenable public traffic after completing all the steps in the lockdown guide.

2.2.1 Install IIS Roles and Features

Open the Windows Server Manager application, under the Manage menu select Add Roles and Features. If IIS is not already installedcheck Web Server (IIS).

A minimal set of IIS Role Services may include the following:

Common HTTP Features: Default DocumentCommon HTTP Features: HTTP ErrorsCommon HTTP Features: Static ContentHealth and Diagnostics: HTTP LoggingSecurity: Request FilteringSecurity: IP and Domain RestrictionsApplication Development: .NET Extensibility 4.7 (or latest version)Application Development: ASP.NET 4.7 (or latest version)Application Development: CGIApplication Development: ISAPI ExtensionsApplication Development: ISAPI FiltersManagement Tools: IIS Management Console

If the server application uses WebSockets also install:

Application Development: WebSocket Protocol

If you wish to add web server level authentication to any sites you should also install one of the Authentication modules such as:

Security: Windows Authentication

Select any additional IIS role services or features that your web applications require. You can always go back and add additional roleservices later if necessary.

ColdFusion2021LockdownGuide(2021-01-29)—2ColdFusionOnWindows Page3of55

https://www.microsoft.com/en-us/download/details.aspx?id=55319

2.2.2 Add WebSites to IIS

At a minimum create a web root directory for each website on the server file system. To increase isolation between websites you mayconsider placing each site on a unique drive letter.

Next copy the website source code into each web root directory.

In IIS add your web site.

Test your IIS web site configuration by requesting a static file such as a txt or js file. At this point we have not yet connected IIS toColdFusion so ColdFusion files (cfm, cfc, etc) cannot be served yet.

2.2.3 Remove Default Web Site

You may remove the Default Web Site defined by IIS, as well as any Application Pools that are not in use.

2.3 Run the Windows ColdFusion Installer

2.3.1 ColdFusion Installer: Installer Configuration

On the Installer Configuration view select Server configuration unless you are deploying to an external JEE server (such as JBoss, Weblogicor Websphere).

alt text

2.3.2 ColdFusion Installer: Deployment Type

Next select the appropriate Deployment Type that the server is licensed for. See https://www.adobe.com/go/cf_deployment_type fordetails.


https://www.adobe.com/go/cf_deployment_type

alt text

2.3.3 ColdFusion Installer: Server Profile

Next select Production Profile + Secure Profile and enter a comma separated list of IP addresses that are allowed to access the ColdFusionAdministrator.

alt text

Tip: if you want to allow localhost access to the ColdFusion Administrator, enter both the IPv4 127.0.0.1 and IPv6 ::1version of localhost . Some browsers may use IPv6 by default for localhost .

The Secure Profile option provides a more secure foundation of default settings. You can review the settings it toggles here:https://helpx.adobe.com/coldfusion/configuring-administering/administering-coldfusion-security.html

Some of the settings that the Secure Profile toggles could cause application compatibility issues. Just as you should with each step in thisguide, ensure that you have tested your application for such issues.

As of ColdFusion 11+ the Secure Profile settings can also be toggled from the ColdFusion Administrator.

2.3.4 ColdFusion Installer: Sub-components Installation


https://helpx.adobe.com/coldfusion/configuring-administering/administering-coldfusion-security.html

Only select Sub-components that your server applications require.

alt text

ODBC Service - Required when connecting to Access Databases. ODBC is not required for SQL Server, Oracle, MySQL, PostgreSQL.Solr Service - Full text search engine used by cfindex , cfsearch and cfcollection tags.PDFG Service - Webkit based PDF Rendering engine used by the cfhtmltopdf tag. The cfdocument and cfpdf tags do not usethe PDFG service.Admin Component for Remote Start/Stop - Allows ColdFusion Builder or Server Manager AIR app to start or stop ColdFusion. Notrecommended for production servers..NET Integration Services - Allows createObject and cfobject to create instances of .NET objects and assemblies.

2.3.5 ColdFusion Installer: Enabling or Disabling Servlets

Keep all servlets unchecked (disabled) unless you use the cfreport tag. If you use the cfreport tag, then only the CF Reporting servletshould be checked (enabled).

alt text

RDS - Used for development, allows remote access to the file system and databases. This should not be enabled on a production server.JS Debug - Used for debugging, should not be enabled on a production server.CF Reporting - Only required if the cfreport tag is used.


2.3.6 ColdFusion Installer: Access Add-on Services Remotely

If you selected the PDFG (cfhtmltopdf tag) or Solr (cfsearch , cfindex , cfcollection tags) sub-components the ColdFusion 2021Add-on Services windows service will be installed.

When the Access Add-on Services Remotely checkbox is unchecked, the Add-on Services are only accessible from the local machine, localhost . If you want to allow access to the services from multiple ColdFusion servers (other than localhost), check the checkbox andspecify the IP addresses of the remote ColdFusion servers.

alt text

2.3.7 ColdFusion Installer: Select Installation Directory

Specify a file system path for the ColdFusion Installation root {cf.root} - consider avoiding the default C:\ColdFusion2021\ path.

Windows ColdFusion Installer: Select Installation Directory

2.3.8 ColdFusion Installer: Built-in Web Server Port Number

Select a non default port number. Ensure that the port number is blocked by your network/os firewall.


Windows ColdFusion Installer: Built-in Web Server Port Number

2.3.9 ColdFusion Installer: Performance Monitoring Toolset

Enter the hostname or internal IP address of the server for use with the performance monitoring toolset. This value can be changed later.

Windows ColdFusion Installer: Performance Monitoring Toolset

2.3.10 ColdFusion Installer: Administrator Credentials

Enter a username other than the default (admin) and select a strong password.


Windows ColdFusion Installer: Administrator Credentials

2.4 Install ColdFusion HotfixesLogin to the ColdFusion Administrator via the built-in web server. For example: http://127.0.0.1:8500/CFIDE/administrator/ (replace 8500 with your port you selected during installation).

Click on Package Manager > Core Server > Check for Updates if any hotfixes are available select the latest hotfix, and click Download.

Tip: ColdFusion Hotfixes are cumulative, so if there are multiple hotfixes, you typically only need to install the latest one. Securityhotfixes may have additional steps such as updating the JVM or updating connectors - be sure to read each Security Bulletin fordetails.

Run the hotfix installer from an elevated (Run as Administrator) Command Prompt or PowerShell terminal (replace hotfix_XXX.jarwith the actual hotfix file name):

Tip: You can verify the integrity of the downloaded hotfix by running Get-FileHash hotfix_XXX.jar -Algorithm md5 (inPowerShell), see that the checksum matches the value found in Adobe ColdFusion update feed:https://www.adobe.com/go/coldfusion-updates

x:\cf2021\jre\bin\java -jar x:\cf2021\cfusion\hf-updates\hotfix_XXX.jar

Visit: https://www.adobe.com/support/security/ and read any pertinent ColdFusion Security Bulletins. Confirm that all required securitypatches have been applied.

Some hot fixes or updates may require you to run the ColdFusion Web Server Configuration Tool to Upgrade the connector. Carefullyreview the hotfix release notes to determine if there are any additional steps that should be performed.

Consult the ColdFusion Hotfix Installation Guide for troubleshooting hotfix installation issues:https://coldfusion.adobe.com/post.cfm/coldfusion-hotfix-installation-guide

2.4.1 Downloading Hotfixes Via Proxy

If your server requires a proxy server to connect to the internet you may need to add the following JVM Arguments (in ColdFusionAdministrator under Server Settings > Java and JVM) and then restart ColdFusion to use your proxy server:

-Dhttp.proxyHost=proxy.example.com -Dhttp.proxyPort=12345 -Dhttp.proxyUser=u -Dhttp.proxyPassword=p

2.4.2 Servers Without a Public Internet Connection

If your server is air-gapped, or does not have a public internet connection you can locate the hotfix_XXX.jar file url using the ColdFusionUpdate Feed: https://www.adobe.com/go/coldfusion-updates. Download the hotfix_XXX.jar file on a computer with internet access,verify the checksum, and then transfer it to the server.


http://127.0.0.1:8500/CFIDE/administrator/

https://www.adobe.com/go/coldfusion-updates

https://www.adobe.com/support/security/

https://coldfusion.adobe.com/post.cfm/coldfusion-hotfix-installation-guide


2.5 ColdFusion 2021 Lockdown Tool Pre-requisitesBefore running the ColdFusion 2021 Auto-Lockdown Tool, make sure you have done the following:

Installed ColdFusion 2021 with Secure Profile EnabledLogin to the ColdFusion Administrator at least once.Setup a website in IIS for each site that will use ColdFusion on the server.

2.6 Run the ColdFusion 2021 Server Auto-Lockdown ToolThe Auto Lockdown Tool Performs the following steps for you:

Connects ColdFusion to the Web Server (wsconfig)Sets the ColdFusion Service identity to run as a dedicated account, optionally creates the account for you.Sets file system permissions for your web root and ColdFusion installation directoryAdds Request Filtering Rules to block various URIsAdds a Connector Shared SecretOptionally Change the Tomcat Shutdown PortConfigures a new cf_scripts aliasChanges Registry Permissions

Before you run the tool, make sure have completed the pre-requisites in the previous section.

Download and run the latest copy of the ColdFusion 2021 Server Auto-Lockdown Tool:https://www.adobe.com/support/coldfusion/downloads.html

2.6.1 Lockdown Installer: ColdFusion Installation Directory

Choose the directory that ColdFusion was installed to.

Lockdown Installer: Select Installation Directory

2.6.2 Lockdown Installer: ColdFusion Updates

Choose Yes / Automatic to ensure that ColdFusion has been updated to the latest hotfix. Adobe recommends that you install ColdFusionupdates before running the Lockdown tool.


https://www.adobe.com/support/coldfusion/downloads.html

Lockdown Installer: ColdFusion Updates

2.6.3 Lockdown Installer: ColdFusion Configuration

Select the instance that you want to lockdown.

Lockdown Installer: ColdFusion Configuration

2.6.4 Lockdown Installer: Web Server Configuration

Select the type of web server you are using, IIS in this case.


Lockdown Installer: Web Server Configuration

2.6.5 Lockdown Installer: Websites in IIS

Select the websites that you wish to connect ColdFusion to and to lockdown.

Tip: you can hold shift or ctrl when clicking to select sites

Lockdown Installer: Websites in IIS

2.6.6 Lockdown Installer: IIS Application Pool Detail

Verify that the application pool names are correct for each the website.


Lockdown Installer: IIS Application Pool Detail

2.6.7 Lockdown Installer: IIS Websites Webroot Detail

Verify that the web root paths are correct for each website.

Lockdown Installer: IIS Websites Webroot Detail

2.6.8 Lockdown Installer: ColdFusion Administrator Configuration

Enter the ColdFusion Administrator username and password specified during the ColdFusion Installation. Also ensure that the builtin webserver port is correctly specified (default port is 8500).


Lockdown Installer: ColdFusion Administrator Configuration

2.6.9 Lockdown Installer: OS Administrator Account Details

Enter the Administrator username, password and server name or domain.

Lockdown Installer: IIS Websites Webroot Detail

2.6.10 Lockdown Installer: ColdFusion Runtime User

Create a unique username for the user account that ColdFusion will run as. Specify the domain, and a strong password.


Lockdown Installer: ColdFusion Runtime User

2.6.11 Lockdown Installer: Shutdown Port

Choose Yes and Enter a random port number that is not in use.


2.6.12 Confirm that the Auto Lockdown Tool Ran Successfully

Open the {cf.root}/lockdown/{cf.instance}/Logs/ folder and review the log files to confirm that the installer completed withoutfatal errors. Specifically look in the log file(s) that begin with ServerLockdown_ and look for a line containing: Successfully locked downColdFusion!

2.6.13 Check User Account Permissions

When the lockdown installer creates a Windows user account for ColdFusion to run as, it does not check the box Deny this user permissions tolog on to Remote Desktop Session Host server in the User Account Properties.

Open the Computer Management app, under Local Users and Groups find the user account and click Properties. Select the Remote Desktop


Services Profile tab and then check the box.

You may also check the box User Cannot Change Password on the General tab of the User Properties window.

2.6.14 Request Filtering

The Lockdown Tool will replace the /cf_scripts mapping with a randomly generated URI. However the URI /cf_scripts shouldstill be blocked at the web server level.

Add /cf_scripts as a Deny Sequence to the Request Filtering in the URL tab. Consider blocking additional URIs discussed in theAdditional Lockdown Measures section.

2.6.15 Additional Resources for the Auto Lockdown Tool:

https://helpx.adobe.com/coldfusion/using/server-lockdown.htmlhttps://coldfusion.adobe.com/2018/07/server-auto-lockdown/

2.7 Update JVMOracle releases Java security updates on a quarterly basis, most of these updates include security vulnerabilities that could be exploited in aserver environment.

Important Note: As of 2019 Oracle no longer allows commercial use of Java without a license. However ColdFusion “Customersshall be supported on Oracle Java SE without having to contract for support directly with Oracle in order to run ColdFusion”.Details here: https://coldfusion.adobe.com/2019/01/oracle-java-support-adobe-coldfusion/

2.7.1 Download and Install Java

Picking the correct version As of this writing Java 11 is the latest supported LTS release of Java. Java 9, 10, 12, 13, 14 and 15 are allnon LTS versions and are only supported for a short time (6 months). Learn more here: https://www.petefreitag.com/item/911.cfm

Download the latest LTS version of Java from https://www.adobe.com/support/coldfusion/downloads.html that ColdFusion 2021supports (Java 11 at the time of this publication). Select the java zip distribution and download.

Tip: Verify the checksum by running powershell: Get-FileHash jdk-11.0.9_windows-x64_bin.zip -Algorithm sha256

Extract the java zip file you download to a permanent location, for example C:\Java\jdk-11.0.9\

2.7.2 Update ColdFusion Server JVM

Tip: Make a backup of the {cf.instance.root}/bin/jvm.config file and the {cf.root}/cfusion/jetty/jetty.laxfile before making changes. If you type the path incorrectly ColdFusion will fail to start.

Login to the ColdFusion Administrator, then click on Server Settings then Java and JVM. Update the Java Virtual Machine Path setting topoint to the new JVM, for example: C:\Java\jdk-11.0.9\

Restart ColdFusion. Visit the System Information page of ColdFusion administrator to confirm that the JVM has been updated.

If you need to revert your changes and go back to the default JVM, replace jvm.config with your backup and restart/start ColdFusion.

Repeat for each ColdFusion instance.

Test your sites again.

2.7.3 Disable Unused Services

Open the Windows Services Application. Review each service, and disable any services that are not used.

ColdFusion 2021 Application Server - this is the primary ColdFusion service, this should stay running.ColdFusion 2021 Add-on Services - this service powers the PDFg Service (cfhtml2pdf tag), as well as Solr Service ( cfsearch ). Ifyou do not use these features you may disable this service.ColdFusion 2021 ODBC Agent - this can be disabled in most cases, only necessary if you have Microsoft Access ODBC datasources.Most datasources will use a JDBC driver (SQL Server, Oracle, MySQL, etc) not ODBC.ColdFusion 2021 ODBC Server - this can be disabled in most cases, only necessary if you have Microsoft Access ODBC datasources.


https://helpx.adobe.com/coldfusion/using/server-lockdown.html

https://coldfusion.adobe.com/2018/07/server-auto-lockdown/

https://coldfusion.adobe.com/2019/01/oracle-java-support-adobe-coldfusion/

https://www.petefreitag.com/item/911.cfm


Most datasources will use a JDBC driver (SQL Server, Oracle, MySQL, etc) not ODBC.ColdFusion 2021 .NET Integration Service - this service allows integration with .NET classes via the cfobject tag or createObject() function. If you do not use this integration and the service is installed set the startup type to disabled.

To disable a service, right click on it in the Services list, select Properties then set the Startup Type to Disabled. If the service is running, hit theStop button.



Verify that each ColdFusion service is set to Log On As the user account that was specified in the Auto-Lockdown tool.

Test your application again to ensure it is still working properly after making changes.

2.7.4 Update JVM for ColdFusion Add-on Services

If you disabled the ColdFusion 2021 Add-on Services service in the previous step, or you did not install it, skip to the next step.

The ColdFusion 2021 Add-on Services is used for Solr ( cfsearch , cfcollection , cfindex ) or the PDF Service (cfhtmltopdf ) andruns in a separate process from the ColdFusion 2021 Application Server service. The Add-on Services will use the JVM that was shipped withColdFusion {cf.root}/jre by default.


Locate the file {cf.root}/cfusion/jetty/jetty.lax and make a backup of it. Next right click on jetty.lax and open it withNotepad or any plain text editor. Look for a line that defines the property lax.nl.current.vm for example:

lax.nl.current.vm=C:\\CF2021\\jre\\bin\\javaw.exe

Change it to point to javaw.exe on your new JVM. Ensure that you use two backslashes \\ to separate folders. For example:

lax.nl.current.vm=C:\\java\\jdk-11.0.XX\\jre\\bin\\javaw.exe

Restart the ColdFusion 2021 Add-on Services service.

Test your sites again.

For additional information on updating the JVM please see:


https://coldfusion.adobe.com/post.cfm/how-to-change-upgrade-jdk-version-of-coldfusion-server

https://www.carehart.org/blog/client/index.cfm/2014/12/11/help_I_updated_CFs_JVM_and_it_wont_start



https://coldfusion.adobe.com/post.cfm/how-to-change-upgrade-jdk-version-of-coldfusion-server

https://www.carehart.org/blog/client/index.cfm/2014/12/11/help_I_updated_CFs_JVM_and_it_wont_start

3 ColdFusion Package ManagementThe ColdFusion 2021 release includes a new package management system. Packages can be installed, updated or removed from either theColdFusion Administrator or a commandline cfpm utility located in the {cf.home}/bin/ directory. Packages contain optional featuresof the ColdFusion server.

When you install ColdFusion using the Windows GUI installer, all packages are installed by default. When you install from a zip file usingthe cfinstall utility only required packages are installed.

3.1 Package Management From a Security PerspectiveFrom a security perspective you should make sure that the packages you have installed are updated to the latest version.

You will also want to make sure that you remove or uninstall any packages that your application does not require. This reduces thepotential attack surface of your server should a vulnerability exist in one of the packages.

3.2 Listing Installed PackagesLocate the cfpm.bat (Windows) or cfpm.sh (Linux) in the {cf.home}/bin/ directory and execute it to start a new cfpm cli session. Ifit loads properly you should have a prompt:

cfpm>

At the prompt type list and hit enter. Type quit to exit.

If you prefer a GUI, you can view the list of installed packages in the ColdFusion Administrator by clicking on the Package Manager icon.

3.3 Update Installed PackagesUsing the cfpm cli run the command update packages to update all installed packages to the latest version.

If any packages were updated, test your applications again.

3.4 Remove Unnecessary PackagesThe cfpm tool has a code scanner which can determine which packages are required to run the given code. The scanner also takes intoaccount certain ColdFusion Administrator settings, such as datasources to determine which database drivers are required.

3.4.1 Scan Code for Required Packages

Run the cfpm scan command to scan your application source code to determine what packages are required:

cfpm> scan /path/to/code/ http://127.0.0.1:8500

Where /path/to/code/ is a file system path pointing to the source code, and http://127.0.0.1:8500 is the path to your builtinweb server. The output of the above command will be a list of package names that cfpm finds to be required by your code.

Compare the list of installed packages ( cfpm list ) with the list of packages required by the code. You can uninstall any packages thatmay be installed but are not required by your code.

3.4.2 Removing Installed Packages

Remove any unnecessary packages by running:

cfpm> uninstall packageName

Where packageName is the name of the package you wish to remove. If you only require a small number of packages and have manyinstalled you can uninstall all packages by running:

ColdFusion2021LockdownGuide(2021-01-29)—3ColdFusionPackageManagement Page19of55

cfpm> uninstall all

Then add necessary packages:

cfpm> install adminstrator,sqlserver

You may need to restart your ColdFusion server for some package installations to be completed. The tool will indicate this in theoutput.

Restart ColdFusion and test your applications again.

ColdFusion2021LockdownGuide(2021-01-29)—3ColdFusionPackageManagement Page20of55

4 ColdFusion Administrator SettingsIn this section several recommendations are made for ColdFusion server settings. It is important to understand that changes to some ofthese settings may affect how your website functions, and performs. Be sure to understand the implications of all settings before makingany changes.

4.1 Server Settings > Settings

Setting Suggestion Additional Info

Timeout Requests After Checked / 5 Sec. Set this value as low as possible. Any templates(such as scheduled tasks) that might takelonger, should use the cfsetting tag. Forexample: <cfsetting requesttimeout="60">

Use UUID for CFToken Checked When unchecked the cftoken values aresequential and make it fairly easy to hijacksessions by guessing a valid CFID / CFTOKENpair.

Disable CFC Type check Unchecked Developers may rely on the argument types,enabling this setting might allow attackers tocause new exceptions in the application. Thissetting may be enabled if the developer(s) havebuilt the application to account for this.Performance may degrade when this setting isUnchecked.

Disable access to internalColdFusion Java components

Checked The internal ColdFusion Java components mayallow administrative duties to be performed.Some developers may write code that relies onthese components to be enabled. This practiceshould be avoided as these components are notdocumented.

Prefix serialized JSON with Checked :// This setting helps prevent JSON hijacking, avulnerability which was exploitable in very oldbrowsers (IE9 and below). ColdFusion AJAXtags and functions automatically remove theprefix. If developers have written CFC functionswith returnformat="json" or use the serializeJSON function, the prefix will beapplied, and should be removed in the clientcode before processing. Developers can overridethis setting at the application level.

Maximum Output Buffer size 1024KB or lower A lower output buffer size may reduce thememory footprint in some applications. Keep inmind that once the output buffer is flushed tagsthat modify the response headers will throw anexception.

Enable In-Memory File System Unchecked if not used If your applications do not require in memoryfile system uncheck this checkbox.

Memory Limit for In-MemoryVirtual File System

Tuned based on JVM heap size andfeature usage

Ensure that you have allocated sufficient JVMheap space to accommodate the memory limit.

Memory Limit per Applicationfor In-Memory Virtual FileSystem

Tuned based on JVM heap size andfeature usage

Ensure that you have sufficient JVM heap spaceto accommodate the memory limit.

Watch configuration files forchanges (check every N seconds)

Unchecked If your configuration requires this setting to beenabled (if using WebSphere ND vertical clusterfor example), increase the time to be as large aspossible. If an attacker is able to modify theconfiguration of your ColdFusion server, theirchanges can become active within a shortperiod of time when this setting is enabled.

ColdFusion2021LockdownGuide(2021-01-29)—4ColdFusionAdministratorSettings Page21of55

Enable Global Script Protection Understand Limits, checked This setting provides very limited protectionagainst certain Cross Site Scripting attackvectors. It is important to understand thatenabling this setting does not fully protect yoursite from all possible Cross Site Scriptingattacks.

Disable creation of unnamedapplications

Checked Applications should have a name so they can beisolated from each other.

Allow adding applicationvariables to Servlet Context

Unchecked Keep unchecked to improve applicationisolation.

Default ScriptSrc Directory /not-default/ Because the scripts directory also containsCFML source code, you should create a virtualdirectory / alias at a non-default location. Thedefault values are /cf_scripts/scripts or /cf2018_scripts or /cf2021_scriptsand /CFIDE/scripts in prior versions of CF.

Default Maximum Thread CountFor Parallel Functions

Tuned Set to 1 if not using parallel functions

Allowed file extensions forCFInclude tag

cfm This setting restricts the file extensions whichget compiled (executed) by a cfinclude tag.Any file file extensions not matching this list arestatically included, any CFML source codewould not be executed. Take care to ensure thatyou have specified any file extensions of filesthat contain CFML code and are included with cfinclude . This setting was added in CF2018Update 3. It can be defined at an applicationlevel as well via this.blockedExtForFileUpload . If yourcode also uses the .cfml file extension to cfinclude files, then set to cfm,cfml .

Blocked file extensions for CFFileuploads

* or list This setting restricts what file extensions areallowed to be uploaded by ColdFusion. If youdo not allow file uploads you should set this to * to block all extensions. If you do allowuploads, ensure that all executable fileextensions (such as cfm, cfc, etc) are specified asa comma separated list. You can use :empty-extension to block file uploads without anextension. This setting can be defined at anapplication level as well.

Application.cfc/Application.cfmlookup order

Depends on Application Consult with developers to select the bestsetting that works for your Application layout.If your Applications only have Application.cfc or Application.cfmfiles in the web root, then set to In webroot.

Executor Pool: Core Pool Size Tuned If you do not use the async features set to 1,otherwise tune the value based on avaliableCPU threads.

Executor Pool: Maximum PoolSize

Tuned If you do not use the async features set to 1,otherwise tune the value based on availableCPU threads.

Azure Service Bus: Core Pool Size Tuned If you do not use the Azure Service Bus set to 1,otherwise tune the value based on availableCPU threads.

Azure Service Bus: MaximumPool Size

Tuned If you do not use the Azure Service Bus set to 1,otherwise tune the value based on availableCPU threads.

Missing Template Handler Custom Template The missing template handler HTML outputshould be equivalent to the 404 error handlerspecified on your web server.



Site-wide Error Handler Custom Template When blank, the site-wide error handler mayexpose information about the cause ofexceptions. Specify a custom site-wide errorhandler that discloses the same generic messageto the user for all exceptions. Be sure to log andmonitor the actual exceptions thrown.

Maximum number of POSTrequest parameters

As low as your application allows Set this to the maximum number of form fieldsyou have on any given page. Allowing toomany form fields may allow for a DOS attackknown as HashDOS. Seehttps://www.petefreitag.com/item/808.cfm

Maximum size of post data As low as possible If your application does not deal with largeHTTP POST operations (such as file uploads, orlarge web service requests), reduce this size to1MB. If the application does allow uploads offiles set this to the maximum size you want toallow. You should also be able to specify aHTTP Request size limit on your web server.

Request Throttle Threshold 1MB ColdFusion will throttle any request larger thanthis value. If your application requires a largenumber of concurrent file uploads to take place,you may need to increase this setting.

Request Throttle Memory Tuned On a 32 bit installation the default value wouldbe close to 20% of the heap. 64 bit servers allowfor much larger heap sizes. Aim for 10% of themaximum heap size as an upper limit for thissetting.

Allow REST Discovery Unchecked if not used. This setting enables the end point /rest/_api_listing or /api/_api_listing to allow theColdFusion API manager to get a listing ofREST apis. ColdFusion Administratorauthentication is required.

Enable mobile’s server workflow Unchecked Use of this feature should be carefullyconsidered on production servers. The mobilekey is accessible to the client, making it difficultto protect.

Enable CORS Unchecked When this checkbox is checked it will add thefollowing HTTP response headers: Access-Control-Allow-Origin: * , Access-Control-Allow-Headers: Content-

Type, Access-Control-Allow-Headers,

Authorization, X-Requested-With and Access-Control-Allow-Methods: GET,

OPTIONS, HEAD, PUT, POST to all CFMLresponses. This in most cases is overlypermissive (allows cross site requests on allorigins), use the web server or CFMLapplication logic to send these responseheaders.

Mobile server context Non default If you have Enable mobile’s server workflowchecked, set the mobile server context value to anon default (not /cfmobile ) value.


4.2 Server Settings > Request TuningThe Request Tuning settings can mitigate the impact Denial of Service (DOS) attacks against your server.




Maximum number ofsimultaneous Template requests

Tuned based on hardware When this setting is too high or too low theability to perform a denial of service attackincreases. When too low requests will bequeued when the server is placed under load.When too high requests may not be queuedunder load causing the CPU time of all requeststo increase significantly (known as contextswitching). Find a good medium by performingload tests against your production environment,use the value that has the ability to serve themost requests per second.

Maximum number ofsimultaneous Flash Remotingrequests

1 if not using Flash Remoting otherwisetuned.

If your applications do not use flash remotingset this value to 1 and disable flash remoting. Ifyou do use flash remoting use a load testingapproach to find the optimal value for thissetting. Note that the Server Monitor feature inEnterprise makes use of flash remoting.

Maximum number ofsimultaneous Web Servicerequests

1 if not publishing SOAP web servicesotherwise tuned

If your applications do not publish SOAP webservices set this value to 1. Otherwise tune thissetting using load tests.

Maximum number ofsimultaneous CFC functionrequests

1 if not using Remote CFC functionrequests, otherwise tuned

This setting applies only to CFC functions thathave access=remote specified, when they areinvoked via a HTTP request, for example: /example.cfc?method=MethodName . TheColdFusion AJAX proxy uses this method toinvoke CFCs. If your applications do not makeuse of this feature set to 1. Otherwise use loadtesting to find the optimal value for this setting.

Maximum number ofsimultaneous Report threads

1 Keep at 1 unless using cfreport heavily.

Maximum number of threadsavailable for CFTHREAD

1 if not using cfthread , tuned otherwise

Timeout requests waiting inqueue after

5 seconds (Match Request Timeout) This setting can generally be set equivalent tothe Timeout Requests After value specified inthe Settings section. A lower setting here maydecrease the effectiveness of DOS attacks.

Request Queue Timeout Page Custom Template Specify a HTML file giving the user a messageto wait and retry their request again. Themessage should not disclose the fact that thequeue timed out.


4.3 Server Settings > Caching


Trusted Cache Checked Enabling trusted cache improves performanceby caching CFML code for the duration of theserver process (unless manually cleared). Thismay also mitigate a situation where an attackerattempts to change a file on the server, the newcode would not execute until the server isrestarted or the cache is cleared.

Redis Cache Settings Password Specified if used If you have a Redis Server specified, ensure thatthe server is configured to require a password.

4.4 Server Settings > Client Variables



Default Storage Mechanism forClient Sessions

None / Cookie Set to None if possible. When applications haveclient management enabled a large amount ofdata can accumulate on the server. This canlead to a storage failure if disks become full.Because the registry is typically located on thesystem partition it is not recommended to usethe Registry. Client variable values stored incookies can be tainted so they should not beused for sensitive variables. Use sessionvariables instead.


4.5 Server Settings > Memory Variables


Use J2EE session variables Checked if JEE interoperability required When checked ColdFusion will use the sessionmanagement of the underlying JEE container(eg Tomcat). Instead of using CFID and CFTOKEN the JSESSIONID cookie is used.When J2EE sessions are enabled certain featuressuch as application specific session cookiesettings (this.sessionCookie in Application.cfc)do not apply. The functions SessionRotate andSessionInvalidate do not operate on J2EEsessions.

Enable Session Variables Unchecked only if not using sessions Most applications require session variables,however if none of the applications on theserver require session variables then you mayuncheck this box.

Session Storage In Memory or Redis When using Redis to store sessions take extremecare to ensure that the datastore is protected bynetwork firewalls and a strong password.

Maximum Timeout: SessionVariables

Less than 2 days The default of two days is generally too long forsessions to persist. Lower session timeoutsreduce the window of risk of session hijacking.

Default Timeout: SessionVariables

20 minutes or less Twenty minutes is a good default value,however applications requiring a high level ofsecurity may require a lower timeout value.

Cookie Timeout -1 By setting to -1 ColdFusion will set the sessioncookie as a browser session cookies, which isvalid as long as the users browser window isopen.

HTTPOnly Checked Session cookies should always be marked asHTTPOnly to prevent JavaScript or other clientside technologies from accessing their values(on supported clients).

Secure Checked if all sites use HTTPS A client will only transmit a secure cookie overa secured connection (HTTPS)

Disable updating ColdFusioninternal cookies usingColdFusion tags/functions.

Checked if all sites use HTTPS You can use this feature to prevent a developerfrom overriding your global session cookiesecurity settings. Check this only if allapplications will use the same settings.

Cookie Samesite default value lax or strict The strict option is the most secure, the laxoption still improves security but compromisesby relaxing some restrictions to improveusability. Avoid using none, as this may makeyour applications more susceptible to CSRFattacks.


4.6 Server Settings > MappingsRemove any mappings your applications do not require, such as /gateway

4.7 Server Settings > MailConsider using SSL or TLS to connect to the mail server to encrypt the email in transit.

Consider enabling Log all mail messages sent by ColdFusion

4.8 Server Settings > WebSocketDisable the WebSocket Service if you do not use the cfwebsocket tag.

4.9 Server Settings > ChartingConsider changing the Disk cache location to a non default path. The ColdFusion user will require read and write permission to the pathspecified if cfchart is used.

4.10 Data & Services > Data SourcesRemove the example data sources if they are defined: cfartgallery , cfbookclub , cfcodeexplorer , cfdocexamples .

Ensure that the database user that ColdFusion connects as, also has limited permissions to only what is necessary. You should not use saor root accounts.


Login Timeout (sec) 5 Seconds Decrease this value to be less than the TimeoutRequests after setting.

Query Timeout (seconds) Not 0 Specify an upper limit to mitigate DOS attacks.

Allowed SQL Enable only operations required by theapplication, eg SELECT , INSERT ,

UPDATE , DELETE

The CREATE, DROP, ALTER, GRANT, andREVOKE operations are not commonly requiredin web applications.

4.11 Data & Services > NoSQL Data SourcesConsider enabling TLS/SSL, and avoid setting the Auth Mechanism to NONE.

4.12 Data & Services > ColdFusion CollectionsRemove the example collection: bookclub if it exists.

4.13 Data & Services > SolrConsider using a HTTPS connection to the Solr server, especially if it is located on a remote server.

Consider running the Solr service on an external server and a non default port for additional isolation.

4.14 Data & Services > Rest ServicesConsider changing the default Rest Path to something other than /rest/ or block the default path on your web server if you do not use


ColdFusion REST services.

4.15 Data & Services > PDF ServiceIf the PDF Service is used to generate PDFs containing sensitive data, or if the PDF service running on a remote server, ensure that HTTPS isenabled.

Consider running the PDF service on an external server and a non default port for additional isolation.

4.16 Data & Services > Cloud CredentialsIn the Cloud Credentials page of the ColdFusion Administrator you can create an alias that references an AWS or Azure Cloud credential.The credentail alias is used by the getCloudService(cloudCred, cloudConfig) function as the cloudCred argument. The cloudCred can also be passed as a structure.

Servers running directly on AWS or Azure should consider assigning Roles to the server instance. For example in AWS you can assign anIAM role to an EC2 instance. The instance will be granted temporary credentials at boot which will be granted to the role assigned. To usethe Azure/AWS IAM instance role you will need to pass a structure to the getCloudService() function with credentials obtained fromthe Azure/AWS metadata service.

4.17 Data & Services > Cloud ConfigurationThe Cloud Configuration administrator allows you to define configuration for specific cloud services.

4.17.1 AWS Specific Cloud Configuration

The following configuration options exist for all AWS service types:


API Call Attempt Timeout Specified Generally this value should be less than thedefault request timeout.

API Call Timeout Specified Generally this value should be less than thedefault request timeout.

Connection Acquisition Timeout Specified Generally this value should be less than thedefault request timeout.

Connection Max Idle Time Specified Appropriate value based on the heuristics ofthe application. If cloud services are only usedfor infrequent background processing then alower value can be used.

Connection Timeout Specified Depends on the latency of the networkconnection from your server to the cloudservices. A few seconds should be appropriatein most cases.

Connection Time to Live Specified Appropriate value based on the heuristics ofthe application. If cloud services are only usedfor infrequent background processing then alower value can be used.

Socket Timeout Specified Depends on the latency of the networkconnection from your server to the cloudservices. A few seconds should be appropriatein most cases.

Max Connections Specified Tuned based on the number of available CPUthreads, and feature usage.

Retry Policy 4 Avoid excessively high values.

4.17.2 AWS S3 Cloud Configuration


These configuration settings apply to AWS S3 Cloud Configurations.


Path Style Access Enabled Unchecked Path Style access to S3 buckets has beendeprecated by AWS, so it should be avoided.

Accelerate Mode Enabled - Enable only if you have S3 bucket accelerationenabled for the bucket.

Dual Stack Enabled - Enable only if your network supports IPv6

Checksum Validation Enabled Checked Checksum validation will ensure that both theclient (ColdFusion) and the server (AWS S3)agree that the contents of the transferred filematch.

Chunked Encoding Enabled Checked Chunked encoding may use less disk i/oresources, test to determine which is moreoptimal.

4.17.3 Azure BLOB Cloud Configuration

These configuration settings apply to Azure BLOB Cloud Configurations.


Concurrent Request Count Specified Set an upperbound reasonable for yourapplication heuristics and server CPUcapabilities. Unless you are doing asynchronusor multithreaded programming the valueshould not be higher than the maximumnumber of simultaneous requests.

Timeout Interval (ms) Specified Generally this value should be less than thedefault request timeout.

Maximum Execution time (ms) Specified Generally this value should be less than thedefault request timeout.

Use Transactional Content Checked Check to enforce Content-MD5 header.

Disable content validation Unchecked Use the Content-MD5 header.

Store Blob Content Checked Use the Content-MD5 header on Uploads.

Absorb Conditional Errors onRetry

Unchecked Unchecked to prevent suppression of errors.

Skip Etag Locking Unchecked Don’t skip etag validation.

Enable Logging Checked Consider enabling logging if appropriate foryour application.

4.17.4 Azure Service Bus Cloud Configuration

These configuration settings apply to Azure Service Bus Cloud Configurations.


Operation Timeout Specified Generally this value should be less than thedefault request timeout. Tune as appropriate /acceptable for your applications.

4.17.5 Cloud Configuration Retry Policies

Many of the Cloud Configurations allow you to specify retry policies in the event that a connection to the service fails. Ensure that the retrypolicy selected is not going to cause a cascading downtime in the event that a cloud service is experiencing downtime or high latency.

4.18 Debugging & Logging > Debug Output Settings



Enable Robust ExceptionInformation

Unchecked When robust exception information is enabledsensitive information may be disclosed whenexceptions occur.

Enable AJAX Debug Log Window Unchecked Debugging should not be enabled on aproduction server.

Enable Request DebuggingOutput

Unchecked Debugging should not be enabled on aproduction server.


4.19 Debugging & Logging > Developer ProfileThe Developer Profile should not be enabled on Production servers.

4.20 Debugging & Logging > Debugger Settings


Allow Line Debugging Unchecked Debugging should not be enabled on aproduction server.

4.21 Debugging & Logging > Logging Settings


Log directory Non Default Ensure that the location of this directory hassufficient storage space to hold Maximum FileSize multiplied by the Maximum number ofarchives multiplied by the number of log files (6or more). Consider a separate drive / partitionfor storing logs.

Maximum number of archives 10 or more When a log file reaches the Maximum File Size(5000KB by default), it is archived. When themaximum number of archives is reached for aparticular log file, the oldest log file is deleted.Some security compliance regulations requirethat log files are kept for a minimum period oftime. Ensure that this value is high enough toretain log files for the required duration.

Use operating system loggingfacilities

Checked Certain log entries will be duplicated to syslogon Unix based operating system.

Enable logging for scheduledtasks

Checked Log scheduled task execution.

4.22 Debugging & Logging > Remote Inspection Settings


Allow Remote Inspection Unchecked Debugging features should not be enabled on aproduction server.

4.23 Event Gateways > SettingsUncheck Enable ColdFusion Event Gateway Services if your applications do not require the use of event gateways.


4.24 Event Gateways > Gateway InstanceDelete the SMS Menu App and any other gateways that are not in use.

4.25 Security > Administrator


ColdFusion AdministrationAuthentication

Separate user name and passwordauthentication

Using separate usernames and passwordsallows you to specify which parts of theColdFusion administrator each user may use.

Password Seed Generate a cryptographically securerandom value

The password seed is used generate anencryption key to encrypt and decryptpasswords for datasources and other services.

Allow concurrent login sessionsfor Administrator Console

Unchecked Uncheck to prevent concurrent logins by thesame user account in the ColdFusionAdministrator.

4.26 Security > RDSRDS should not be enabled on production server.

If RDS was previously enabled ensure that the {cf.instance.root}/wwwroot/WEB-INF/web.xml does not contain a ServletMapping for the RDSServlet .

4.27 Security > Sandbox SecuritySandboxes allow you to lock down which CFML source files have access the file system, tag / function execution, datasource access, andnetwork access. It is highly recommended that you setup a sandbox or multiple sandboxes for your applications.

Configure sandboxes for each site, or high risk portions of each site. Using the principal of least privilege deny access to any tags, functions,datasources, file paths, and IP / ports that do not need to be accessed by code in the particular sandbox.

Your application should be thoroughly tested before enabling sandbox security to ensure that your sandbox has been configured correctly.

4.28 Security > User ManagerAdd user accounts for each person that will login to the ColdFusion Administrator.

4.29 Security > Allowed IP Addresses


Allowed IP Addresses forExposed Services

Empty Any IP address in this list may execute remoteservices that expose server functionality via webservices. To invoke these web services the clientmust be on the allowed IP list, and have ausername and password. It is recommendedthat you do not use this feature in environmentsrequiring maximum security. This feature hasbeen deprecated as of ColdFusion 11+

Allowed IP Addresses forColdFusion Internal Components

List of internal / administrative IPaddresses

Specify to limit which IP addresses may connectto the ColdFusion administrator andAdminAPI.


4.30 Security > Secure ProfileCompare the values you have specified with the secure profile recommended values.

Review each setting that will be changed and test your application to ensure that the secure profile settings will not cause any issues.

4.31 Security > IDP ConfigurationIDP Configuration is used for configuring SAML Identity Providers allowing your ColdFusion applications to act as a SAML SP (serviceprovider). Requests to / from the SAML IDP should be signed and encrypted.

Ensure that Sign Requests is checked.

Ensure that all URLs use HTTPS.

4.32 Security > SP ConfigurationRequests to / from the SAML SP should be signed.

Ensure that Sign Requests, Want Assertions Signed, and Logout Response Signed are all checked.

If you have multiple ColdFusion servers, or multiple instances acting as a SAML SP make sure that the Request Store cache used is sharedamong all servers to avoid Replay Attacks.

Ensure that the ACS URL and the SLO URL use HTTPS.

4.33 Package Manager > PackagesSee the section ColdFusion Package Management for guidance.

4.34 Package Manager > Settings


Automatically Check for Updates Checked Check for ColdFusion updates every time youlogin to ColdFusion administrator. Anotification icon will show up in upper righttoolbar if an update is available.

Check for Updates every N days Checked Setup email alerts to be notified when a serverupdate is available.

Site URL https://www.adobe.com/go/coldfusion-updates

Ensure that the URL is correct and uses HTTPS.


5 Additional Lockdown MeasuresThe steps outlined in this section can provide additional security but may require special care or attention to configure and maintain.

5.1 To Configure the Builtin Web Server to bind to 127.0.0.1 onlyBy default the connector will listen on all IP addresses. To configure the builtin web server to only listen on a single address (for example 127.0.0.1 ) locate the <Connector /> in {cf.instance.root}/runtime/conf/server.xml with a port attribute matching theport your builtin web server is running on, add an address attribute. For example:

<Connector address="127.0.0.1" ...>

Restart ColdFusion and confirm that the builtin web server now only listens on the specified address. Seehttps://tomcat.apache.org/tomcat-9.0-doc/config/http.html for more information.

5.2 To Run the Builtin Web Server over TLSThe builtin web server can be configured to run over TLS / HTTPS. This is highly recommended, especially if the builtin server isconfigured to listen on addresses other than localhost.

First, a certificate must be generated. You may obtain a certificate from a trusted certificate authority (recommended) or generate a selfsigned certificate.

To generate a self signed certificate, run the following command:

{cf.root}/jre/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore {cf.root}/tomcat.keystore

Specify a unique password for the keystore when prompted.

Next make a backup of, then edit {cf.instance.root}/runtime/conf/server.xml and locate the <Connector> tag that has aport value matching your builtin web server. Comment out the default builtin web server Connector tag and replace with something likethis:

<Connector port="8443" protocol="HTTP/1.1"

SSLEnabled="true" scheme="https"

secure="true"

keystoreFile="{cf.root}\tomcat.keystore"

keystorePass="{your.password}"

keyAlias="tomcat"

clientAuth="false"

sslProtocol="TLSv1.3" />

Be sure to replace {cf.root} with the path to your ColdFusion installation root (eg C:\ColdFusion2021 ) and {your.password}with the value you specified when you generated your certificate. Consider changing the port 8443 to a non default value.

The sslProtocol in the example above is set to TLSv1.3 , this requires a modern http client/browser to connect to the ColdFusionadministrator. Additionally TLSv1.3 requires a JVM that implements the protocol (typically found in Java 11+). You could use "TLSv1.2" or "TLSv1.3,TLSv1.2" instead if necessary.

Restart the ColdFusion instance, and visit https://127.0.0.1:8443/CFIDE/administrator/ (change port to match value you used). If you useda self signed certificate you will receive a certificate warning.

Consider specifying the ciphers attribute and useServerCipherSuitesOrder="true" to ensure a strong TLS cipher is favored.Because the recommendations for preferred TLS protocols and ciphers change frequently please seek the current advice of cryptographyexperts for optimal TLS configuration.

For more information about configuring Tomcat with TLS, see: https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html andhttps://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support

5.3 To Disable the Builtin Web ServerThe builtin web server may be used on production servers to serve the ColdFusion Administrator. It may also be used by the PerformanceMonitoring Toolkit. You may disable the builtin web server when its use is not required.

ColdFusion2021LockdownGuide(2021-01-29)—5AdditionalLockdownMeasures Page32of55

https://tomcat.apache.org/tomcat-9.0-doc/config/http.html

https://127.0.0.1:8443/CFIDE/administrator/

https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html

https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support

Backup and edit the {cf.instance.root}/runtime/conf/server.xml file, and remove or comment out the Connector tag similar tothe following:



This must be repeated for each ColdFusion instance created.

Restart ColdFusion and confirm that the server port is disabled.

Important: You must use XML comments with two dashes  if you use a CFMLcomment (3 dashes)  ColdFusion may not start.

5.4 Deny ColdFusion Write Permission to Builtin Web ServerwwwrootColdFusion will have Full Control of the wwwroot folder in your {cf.instance.root} you may consider restricting that directory toread only, because the cf_scripts folder may be served over the IIS or Apache web server. If you do restrict write permission on wwwroot you will need to allow write permission to the following sub directories:

WEB-INF/cfclasses

WEB-INF/rest-skeletons

WEB-INF/cfc-skeletons

5.5 Restrict ColdFusion File System PermissionsColdFusion will have Full Control of its installation directory by default. You may consider restricting full control to only files and foldersthat ColdFusion needs to write to. You can use file system auditing to determine which files ColdFusion writes to during normal operationof your application.

Some directories that are commonly written to include:

{cf.instance.root}/logs

{cf.instance.root}/tmpCache

{cf.instance.root}/stubs

{cf.instance.root}/Mail

{cf.instance.root}/runtime/work

{cf.instance.root}/jetty/logs

{cf.instance.root}/jetty/work

{cf.instance.root}/jetty/multicore/collections/

Note that use of ColdFusion Administrator may write configuration to several locations, you should ensure that your Administratorsettings have been specified and will not change before restricting the file system permissions.

5.6 Lockdown the ColdFusion Add-on ServicesIf you installed the ColdFusion 2021 Add-on Services for Solr (cfsearch , cfcollection , cfindex ) or the PDF Service(cfhtmltopdf ) they run as a separate process / service. The Add-on Services leverage Jetty as the JEE servlet container instead of Tomcat(which is used by the ColdFusion Application Server).

If you are not currently using the cfsearch , cfcollection , cfindex , or cfhtmltopdf tags ensure that you have disabled theservice.

Next ensure that it is not running under a privileged user account such as root, or System. You may create a dedicated user specifically forthe Add-on Services. This user simply needs read / write permission on the Solr Home folder. By default Solr Home will point to {cf.root}/cfusion/jetty you can find the exact path by going to the ColdFusion Administrator and looking at the Solr Home settingunder Data & Services > Solr Server.

Consider using a non-default port (8989 is the default) and enabling HTTPS. Go to the ColdFusion Administrator and click the ShowAdvanced Settings button on the Data & Services > Solr Server to change these settings.

For maximum isolation, consider installing the ColdFusion Add-on Services on a dedicated server. Using HTTPS is highly recommendedwhen Solr is running on a different server.

Consult the Jetty Documentation for more information: https://www.eclipse.org/jetty/documentation/

5.7 Lockdown File ExtensionsColdFusion provides a number of capabilities that are not used commonly which can be blocked. A good example of this is JSP fileexecution. Here is a list of file extensions that usually can be blocked (check with developers first).

File Extension Purpose Safe to Block

.cfml Executes CFML templates (same as .cfmfiles)

The .cfml file is not typically used bydevelopers, if you don’t use .cfml block this fileextension.

.jsp JavaServer Pages Yes, if your applications do not use jsp

.jws Java Web Services Yes if not used.

.cfr CFReport Files Yes, if cfreport is not used.

.cfswf Dynamically generated swf files fromflash forms

Yes, if flash forms are not used.

.hbmxml Hibernate XML Mappings Yes, these files should always be blocked.

5.7.1 Blocking by File Extension with Apache

To block .cfml , .jsp , .jws and .hbmxml files add the following to your Apache httpd.conf file:

RedirectMatch 404 (?i).*\.(cfml|jsp|jws|hbmxml).*

Restart apache and create a test.cfml file to confirm that the rule is working.

5.7.2 Blocking by File Extension on IIS

Click on the root node of IIS and then double click Request Filtering. Click on the File Name Extensions tab, and then click Deny File NameExtension in the Actions menu on the right. Add a file name extension including the dot and click ok.

5.7.3 File Extension Allow Listing on IIS

A more robust solution is to specify an allow list of allowed file extensions, any file extension not in the list would be blocked. For exampleallow only .cfm .css .js .png and block anything else. Your application may require additional extensions.

Click on the root node of IIS and then double click Request Filtering. Click on the File Name Extensions tab, and then click Allow File NameExtension. Allow each file extension your sites serve (for example cfm, css, js, png, html, jpg, swf, ico, etc).

You must also ensure that the .dll file extension is allowed in the /jakarta virtual directory in order for ColdFusion resources to beserved.

Test your web sites after making changes in this section.

5.8 Additional URIs to Consider BlockingHere are some additional URIs that ColdFusion may serve requests on that you can consider blocking if you do not use the features itsupports.

URI Description

/connector /pms /__cf_connector_heartbeat__ Used by the Performance Monitoring Toolkit

/CFFileServlet Serves dynamically generated assets. It supports the cfreport , cfpresentation , cfchart , and cfimage (with action=captcha and action=writeToBrowser ) tags. If you arenot using those tags then you can block this endpoint.

/rest/ /api/ /restapps/ /cfapiresources/ Used for CFML Rest Web Services implemented through CFCs.


https://www.eclipse.org/jetty/documentation/

/Application.cfm Direct requests to Application.cfm or cfc cause an error to be thrown,so you may wish to block that at the web server level.

.env box.json server.json testbox rewrites.xml

Additional paths which may contain configuration or non productionassets. These paths should be safe to block on production servers.

URI Description

The Auto-Lockdown Tool will block the following URIs:

/Application.cfc

/WEB-INF

/cfformgateway

/flex2gateway

/cfform-internal

/flex-internal

/WSRPProducer

/JSDebugServlet

/securityanalyzer

.svn

.git

/CFIDE

/jakarta

5.8.1 Blocking URIs in IIS

Click on the root node of IIS and then double click Request Filtering. Click on the URL tab. Click the Deny Sequence button and enter the URIto block.

Note the Auto Lockdown Tool blocks URIs using Request Filtering as well, however it applies the settings to the web site level, notthe global IIS level. You may consider adding the URIs it blocks to the global level to ensure they will be blocked by sites on theserver.

5.8.2 Blocking URIs in Apache

To block a URI, add the following to the httpd.conf file:

RedirectMatch 404 (?i).*/CFIDE.*

The above would block and return a 404 HTTP status when the case insensitive (?i) pattern /CFIDE is found anywhere .* in the URI.

5.9 Optionally Remove ASP.NETOnce you have all websites configured in IIS, you may consider removing the IIS Role Services: ASP.NET, .NET Extensibility and CGI whichare required by the connector installer, however may not be needed at runtime.

If you are running the IIS WebSocket proxy then ASP.NET support is required and must not be removed.

This approach while it may provide additional security by allowing removal of unused software, does have two drawbacks. First this is nota procedure that is officially documented or supported by Adobe. Adobe does not test without these settings enabled so you may encountersomething unexpected. Second when a ColdFusion update is released for the connector or if you want to add/update/delete an IISconnector you must re-enable these role services before updating the connector.

5.10 Remove ASP.NET ISAPI Filters and Handler MappingsIf you do not require ASP.NET functionality, and you do not want to fully remove ASP.NET from the server due to issues outlined in theprevious section you can remove the ISAPI Filters and Handler Mappings that ASP.NET uses to process requests.

First make a backup of the applicationHost.config file, typically located in C:\Windows\System32\inetsrv\config\ , and any web.config files.

In the IIS global server level click on ISAPI Filters and remove all ASP.NET ISAPI filters. Next click on ISAPI and CGI Restrictions click oneach ASP.NET ISAPI filter and click Deny.


Next click on Handler Mappings in the IIS global root node. Remove all unnecessary Handler Mappings. Do not remove the StaticFilehandler unless your application does not serve static files (js, css, images, etc). Do not remove the ISAPI-dll handler, this will be requiredfor the ColdFusion web server connector to function. A minimal configuration includes only StaticFile , ISAPI-DLL , and cfmHandler .

5.11 Disable Unused Servlet MappingsAll JEE web applications have a file in the WEB-INF directory called web.xml that defines the servlets and servlet mappings for the JEE webapplication. A servlet mapping defines a URI pattern that a particular servlet responds to. For example the servlet that handles requests for .cfm files is called the CfmServlet the servlet mapping for that looks like this:

<servlet-mapping id="coldfusion_mapping_3">

<servlet-name>CfmServlet</servlet-name>

<url-pattern>*.cfm</url-pattern>

</servlet-mapping>

The servlets are also defined in the web.xml file. The CfmServlet is also defined in web.xml as follows:

<servlet id="coldfusion_servlet_3">

<servlet-name>CfmServlet</servlet-name>

<display-name>CFML Template Processor</display-name>

<description>Compiles and executes CFML pages and tags</description>

<servlet-class>coldfusion.bootstrap.BootstrapServlet</servlet-class>

<init-param id="InitParam_1034013110656ert">

<param-name>servlet.class</param-name>

<param-value>coldfusion.CfmServlet</param-value>

</init-param>

<load-on-startup>4</load-on-startup>

</servlet>

We can remove servlet mappings in the web.xml to reduce the surface of attack. You don’t typically want to remove the CfmServlet orthe *.cfm servlet mapping, but there are other servlets and mappings that may be removed.

In addition some servlets may depend on each other, so it may be better to just remove the servlet-mapping instead.

Be sure to backup web.xml before making changes, as incorrect changes may prevent the server from starting.

Servlet Mapping Servlet Purpose

*.cfm *.CFM *.Cfm CfmServlet Handles Execution of CFML in .cfm files.Required.

*.cfml *.CFML *.Cfml CfmServlet Handles execution of CFML contained in fileswith the .cfml file extension. These servletmappings can be commented out if you do nothave any files with a .cfml file extension inyour code base.

*.cfc *.CFC *.Cfc CFCServlet Handles execution of remote function calls incfc files. These servlet mappings can becommented out if you do not use any CFCswith access=remote

*.cfml/* *.cfm/* *.cfc/* CfmServlet CFCServlet These servlet mappings are used for searchengine safe url’s such as /index.cfm/x/y

/CFIDE/main/ide.cfm RDSServlet Used for RDS, this servlet mapping should becommented out on production servers.

/JSDebugServlet/* JSDebugServlet Used for debugging cfclient, should becommented out on production servers.

*.jws CFCServlet Java Web Services - allows you to easily writeand deploy SOAP web services in Java similarto a CFC. Should be commented out of yourapplications do not have any jws files (mostdo not have any).

*.cfr *.CFR *.Cfr CFCServlet Used for cfreport , can be commented out ifthe cfreport tag is not used.


/CFFileServlet/* CFFileServlet Used for serving files generated dynamicallyfrom various tags such as cfchart , cfimage , etc.

/securityanalyzer/* CFSecurityAnalyzerServlet Used for CFBuilder security analyzer. Notneeded on production servers.

/rest/* /api/* /restapps/* /cfapiresources/*

CFRestServlet Used to serve CFML rest web services

*.hbmxml CFForbiddenServlet Used to prevent serving Hibernate mappingfiles. Keep this mapping.

/cfmobile/* CFMobileServlet Used for cfclient

/pms /connector/* PMSGenericServlet Used by the Performance Monitoring Toolset

/mcs/* ModulesCodeScannerServlet Used by the cfpm code scanner

/__cf_connector_heartbeat__ Connector Used by the Performance Monitoring Toolset

Servlet Mapping Servlet Purpose

To remove a servlet mapping, you can comment it out using an XML comment for example to disable the RDS servlet mapping:



Restart ColdFusion and test your application after commenting out servlet mappings. It is a good idea to only remove one at a time andthen test again.

ColdFusion 2021 removed several servlets and servlet mappings related to Flash Remoting and Flash Forms:

/CFFormGateway/*

/cfform-internal/*

*.cfswf

*.as *.sws *.swc/flashservices/gateway/*

/flex-internal/*

*.mxml

/flex2gateway/*

The above mappings should not be in the web.xml by default.

5.12 Additional Tomcat Security ConsiderationsConsult the Tomcat 9 Security Considerations document https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html for additionaltomcat specific security settings.

5.13 Additional File Security ConsiderationsPay careful attention to the file permissions of sensitive configuration files located in {cf.instance.root}/lib/ such as password.properties , seed.properties and all neo-*.xml files. In addition the files located in {cf.instance.root}/runtime/conf/ contain important configuration files utilized by the Tomcat container.

5.14 Adding ClickJacking ProtectionColdFusion 10 introduced two Servlet Filters CFClickJackFilterDeny and CFClickJackFilterSameOrigin . When a URL ismapped to one of these servlets the X-Frame-Options HTTP header will be returned with a value of DENY or SAMEORGIN. You canadd a filter-mapping in web.xml to enable these filters for a given URI, this functionality could also be accomplished at the web server level.


https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html

5.15 Restricting HTTP VerbsMost web applications only need to function on GET, HEAD and POST. Applications that make use of Cross Origin Resource Sharing(CORS) will also require the OPTIONS header. Servers that host REST web services may require additional HTTP methods.

5.15.1 Allow Listing HTTP Verbs in Apache

The Limit and LimitExcept directives can be used to apply configuration based on the HTTP method. For example to deny all requestsexcept GET , HEAD and POST you can add the following to your httpd.conf :

<Location />

<LimitExcept GET HEAD POST>

Order Deny,Allow

Deny from all

</LimitExcept>

</Location>

TraceEnable off

Note that LimitExcept does not apply to the HTTP TRACE method. The TRACE method can be disabled using the Apache directive TraceEnable . Restart Apache.

5.15.2 Allow Listing HTTP Verbs in IIS

Click on the root node in IIS and double click Request Filtering and select the HTTP Verbs tab. Click Allow verb and each HTTP verb you wantto allow.

Now to disallow any verb that has not been explicitly allowed, click Edit Feature Settings and Uncheck Allow unlisted verbs.

5.16 Security Constraints in web.xmlThe servlet container (Tomcat) can enforce certain security constraints to ensure that a given URI is secured, or to limit certain URIs to HTTPPOST over a secure (SSL) connection:

<security-constraint>

<display-name>POST SSL</display-name>

<web-resource-collection>

<web-resource-name>POST ONLY SSL</web-resource-name>

<url-pattern>/post/*</url-pattern>

<http-method>POST</http-method>

</web-resource-collection>

<user-data-constraint>

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

</user-data-constraint>

</security-constraint>

<security-constraint>

<display-name>POST ONLY</display-name>

<web-resource-collection>

<web-resource-name>BLOCK NOT POST</web-resource-name>

<url-pattern>/post/*</url-pattern>

<http-method>GET</http-method>

<http-method>HEAD</http-method>

<http-method>PUT</http-method>

<http-method>DELETE</http-method>

<http-method>TRACE</http-method>

</web-resource-collection>

<auth-constraint />

</security-constraint>

5.17 Limit Request SizeLimiting the size of various elements of the HTTP request can help mitigate denial of service attacks and other risks.


Consider specifying smaller request size limits by default, and then use larger sizes on URIs where files are uploaded or very large formsubmissions occur.

5.17.1 Limit Request Size in IIS

In IIS you can use the Edit Feature Settings dialog in Request Filtering to control the Maximum Allowed Content Length, Maximum URL Lengthand Maximum Query String Length.

5.17.2 Limit Request Size in Apache

Apache has several directives that can be used to control the allowed size of the request. Here are a few directives you should considersetting: LimitRequestBody , LimitXMLRequestBody , LimitRequestLine , LimitRequestFieldSize , LimitRequestFields .

5.18 Distributed Mode or Reverse ProxyConsider running in a reverse proxy or distributed mode, such that only the web server and ColdFusion server are on different servers. Thismethod provides isolation between your web server and the ColdFusion application server.

In distributed mode, only the web server connector is installed on the server containing the web server.

For more information on configuring ColdFusion to run in distributed mode consult this blog entry: https://coldfusion.adobe.com/setting-up-coldfusion-in-distributed-envionment/

5.19 HTTP Response Headers to improve SecurityThere are several HTTP response headers that you may consider adding to the web server to improve security. Some headers you mayconsider adding include:

Strict-Transport-Security

X-Frame-Options

Content-Security-Policy

X-Content-Type-Options

X-XSS-Protection

Referrer-Policy

5.19.1 Adding HTTP Response Headers in IIS

Open IIS and double click the HTTP Response Headers icon. Then click Add and specify a header name and value.

5.19.2 Adding HTTP Response Headers in Apache

Add a Header directive to your httpd.conf :

Header set Strict-Transport-Security "maxage=31536000"


https://coldfusion.adobe.com/setting-up-coldfusion-in-distributed-envionment/

6 ColdFusion Lockdown on LinuxThis section covers installation of ColdFusion on Red Hat Enterprise Linux 8 with Apache. To install ColdFusion 2021 on Linux we willperform the following steps:

Perform installation prerequisitesCreate a Dedicated User Account for ColdFusion to run as.Install ColdFusionCheck for, and install any ColdFusion hotfixes.Configure ApacheConfigure file system permissions.Run the web server configuration tool to connect ColdFusion to ApacheSetup ColdFusion Administrator SiteUpdate the JVM

6.1 Linux Installation PrerequisitesBefore you begin the ColdFusion installation process perform the following steps:

Configure a network firewall (and / or configure a local firewall using iptables) to block all incoming public traffic during installation.Read the Red Hat Enterprise Linux 8 Managing and Monitoring Security Updates Guide: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_and_monitoring_security_updates/indexRead the Red Hat Enterprise Linux 8 Security Hardening Guide: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/indexInstall RedHat Linux with minimal packages, you do not need to install a graphical desktop environment.Enable SELinux Enforcing mode during installation. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/index for more information about SELinux.Remove or disable any software on the server that is not required. To see what packages are installed run: yum list installed | more to remove a package: yum erase phpYou will need to know how to edit text files on linux, for example using vi or nanoRun yum update and ensure that all software running on the server is fully patched.Download ColdFusion from adobe.comVerify that the MD5 checksum listed on adobe.com download page matches the file you downloaded. You can run the following froma shell: md5sum installer-file-name.bin

6.2 Create a Dedicated User Account for ColdFusionCreate a new group which will contain both ColdFusion users and apache’s user, in this guide we will name this group webusers pleasechoose a unique name:

groupadd webusers

Create a system user for ColdFusion to run as, in this guide we use the username cfuser , but again, pick a unique username:

adduser --system -g webusers -s /sbin/nologin -M -c ColdFusion cfuser

If you are running multiple instances of ColdFusion consider creating a dedicated user account for each instance to run in isolation.

6.3 ColdFusion InstallationRun the installer as the root user or by using sudo .

Installer Configuration: Choose #1 - Server configuration. If you are deploying ColdFusion a JEE server such as WebSphere,WebLogic, JBoss, etc. select an EAR or WAR file, otherwise choose option 1 Server configuration.Select ColdFusion Server Profile: Choose Production Profile + Secure Profile. The Development Profile should not be selected, it enablesfeatures that are intended for development purposes. The Production Profile disables development features by default. The ProductionProfile + Secure Profile option has all the features of the Production Profile plus provides a more secure foundation of default settings.Some of the settings that the Secure Profile toggles may cause application compatibility issues. Just as you should with each step in thisguide, ensure that you have tested your application for such issues. As of ColdFusion 11+ the Secure Profile settings can also be toggledfrom the ColdFusion Administrator.IP Addresses allowed: 127.0.0.1,::1 Comma separate any other IP addresses that need to access ColdFusion Administrator.

ColdFusion2021LockdownGuide(2021-01-29)—6ColdFusionLockdownonLinux Page40of55

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_and_monitoring_security_updates/index

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/index

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/index

Sub-components Installation: Select only services that are required by your application.

Solr Service - the Solr service is needed only if you are using cfsearch , cfcollection , cfindex tags. Disable the Solr serviceif not needed.PDFG - enable if you are using the cfhtmltopdf tag.Admin component for Remote Start/Stop - disable.Start ColdFusion on system init - enable.

Enabling/Disabling Servlets:

Uncheck RDS, JS DebugUncheck CF Reporting if you are not using the cfreport tag.

Access Add-on Services Remotely: If you selected the PDFG or Solr Service sub-components the ColdFusion 2021 Add-on Services willbe installed. When you specify n for the Access Add-on Services Remotely option, the Add-on Services are only accessible from thelocal machine (localhost). If you want to allow access to the services from multiple ColdFusion servers, enter y and then specify the IPaddresses of the remote ColdFusion servers. Select n unless remote access is required.Choose Install Folder: Select a non default installation folder, in this guide we will use /opt/cf2021/ , however you should select aunique path.Built-in Web Server Port Number: Select a non-default port number.Performance Monitory Toolset Hostname / IP Address: Enter the internal IP address of the server if you wish to use the PMT. Thisvalue can be changed later in the Administrator.Runtime User: Enter the name of the user created in the previous section: cfuserConfigure ColdFusion with OpenOffice: Skip if not required - OpenOffice integration is used by cfdocument to convert Worddocuments to PDF or PowerPoint presentations to PDF/HTML.Administrator Credentials: select a unique username (not admin), and choose a strong password.Server Updates: Y automatically check for server updates.

Now start ColdFusion:

service cf2021 start

6.4 Access ColdFusion Administrator via a SSH TunnelIt can be useful to create a temporary SSH tunnel when you need to connect to the ColdFusion Administrator. As of ColdFusion 2016 and upthe ColdFusion Administrator is no longer accessible via the Apache web server.

To access ColdFusion Administrator you can create a SSH tunnel that points to the builtin web server port (8500 by default), by opening alocal port (33333 in our example, but you can use any local port number you want as long as it is not in use) on your desktop.

If your desktop computer is running Mac or Linux you can create a SSH tunnel to port 8500 on your local port 33333 by running thefollowing command (locally on your desktop, not on your ColdFusion server):

ssh -L 33333:127.0.0.1:8500 [email protected]

If you are running a Windows desktop you can use putty.exe (download from putty.org)

putty -L 33333:127.0.0.1:8500 your.new.server.example.com

Now open your web browser and point to http://127.0.0.1:33333/CFIDE/administrator/

The traffic between your server and desktop will be encrypted over the SSH protocol. You can also configure the builtin web server to useHTTPS on top of that as well (see section 4.2).

6.5 Install ColdFusion HotfixesLogin to the ColdFusion Administrator via the built-in web server.

Click on Package Manager > Core Server > Check for Updates if any hotfixes are available select the latest hotfix, and click Download.

Tip: You can verify the integrity of the downloaded hotfix by running md5sum on the hotfix_XXX.jar file, see that thechecksum matches the value found in Adobe ColdFusion update feed: https://www.adobe.com/go/coldfusion-updates

Run the hotfix installer as root or with sudo (replace hotfix_XXX.jar with the actual hotfix file name):

java -jar /opt/cf2021/cfusion/hf-updates/hotfix_XXX.jar

Consult the ColdFusion Hotfix Installation Guide for troubleshooting hotfix installation issues:https://coldfusion.adobe.com/2012/12/coldfusion-hotfix-installation-guide/


http://127.0.0.1:33333/CFIDE/administrator/


https://coldfusion.adobe.com/2012/12/coldfusion-hotfix-installation-guide/

6.6 Install and Configure Apache Web Server

6.6.1 Install or Update Apache

If Apache (httpd) has not yet been installed, install it using yum:

yum install httpd

If Apache (httpd) was already installed, ensure that the latest version is installed:

yum update httpd

6.6.2 Remove Unnecessary Modules

Ensure that the latest version of openssl and mod_ssl are installed as well using similar yum commands as above.

Remove any unneeded modules, for example:

yum erase php*

Edit the /etc/httpd/conf/httpd.conf and remove or comment out (by placing a # at the beginning of the line) any LoadModulelines that load unnecessary modules. Most modules will be included in separate configuration files (look in /etc/httpd/conf.modules.d/) ,you can easily find a list of files that load modules by running:

fgrep --recursive LoadModule /etc/httpd/

Some modules that you may be able to remove (or comment out by placing a # at the beginning of the line) include: mod_imap , mod_info , mod_userdir , mod_status , mod_cgi , mod_autoindex .

6.6.3 Setup Directory for Web Roots

Optional: If you wish to setup a non default web root follow the instructions in this section. If you plan to use the default web root /var/www/html then copy your CFML files into that directory.

If you have multiple web sites you may wish to create a folder for all your sites. In this guide we will use /www/ as the root folder, but youshould choose a unique path name.

mkdir -p /www/default/wwwroot/

mkdir -p /www/example.com/wwwroot/

mkdir -p /www/other.example.com/wwwroot/

Copy your CFML source code into the directory, the /www/default/wwwroot/ could be setup as a default site for Apache.

Next lets add the apache user to the webusers group we created previously.

usermod -aG webusers apache

Setup some file system permissions:

chown -R root:webusers /www

chmod -R 750 /www

chcon -R -t httpd_sys_content_t -u system_u /www/default/wwwroot/

chcon -R -t httpd_sys_content_t -u system_u /www/example.com/wwwroot/

chcon -R -t httpd_sys_content_t -u system_u /www/other.example.com/wwwroot/

Edit httpd.conf (typically located in /etc/httpd/conf/httpd.conf ) and change the DocumentRoot from /var/www/html toyour new default site root, for example /www/default/wwwroot

Next tell apache that it is allowed to serve files to the public under the folder /www by adding:

<Directory "/www">

Options None

AllowOverride None

Require all granted

</Directory>

Note: We are using /www here as a catch all path for all of our web root directories. If you have any files under /www that apache


should not be allowed to serve, then you should add a <Directory> block for each web root.

Create an index.html file in the default site:

echo 'Hello' > /www/default/wwwroot/index.html

Restart Apache

service httpd restart

Test to make sure Apache is working:

curl http://localhost/

The above curl command should output the contents of the /www/default/wwwroot/index.html file. If you are following along,then it should output: Hello .

6.6.4 Start Apache on Boot

By default Apache will not start up on system boot, you need to tell systemctl to enable the service. As root or using sudo run thefollowing:

systemctl enable httpd.service

6.7 Run the Linux ColdFusion Auto Lockdown ToolBefore running the ColdFusion Auto Lockdown Tool please ensure the following:

ColdFusion is running, and you have logged in to the ColdFusion Administrator at least once. service cf2021 startApache is running service httpd start test by accessing port 80 or 443.

Run the auto lockdown tool as the root user or by using sudo .

ColdFusion Installation Directory - enter the directory where ColdFusion is installed.Apply latest ColdFusion update - select Yes to have the lockdown tool check for updates and install them.Automatic Update or Manual - select Automatic if the server is connected to the internet.ColdFusion Instance - enter the name of the instance to lockdown, select the default cfusion .Web Server - select ApacheAdmin Username - enter your ColdFusion Administrator user name.Admin Password - enter your ColdFusion Administrator password.Internal Web Server Port - enter port number you choose for the internal web server during installation (default is 8500).System Admin User - enter the username for your root user account.System Admin Password - if root has a password you may enter it, if it does not have a password configured just hit enter.Do you have a user created for running CF services? - select Yes.ColdFusion Runtime Username - enter the username for the ColdFusion user you created, eg cfuser .ColdFusion Runtime User Password - hit enter because the user was created as a system account so it does not have a password.ColdFusion Runtime User Group - enter the name of the group you created, for example webusersDo you have a user created for running Web Server services? - select Yes.Web Server Group - the name of the group that the web server user belongs to (default is apache on RedHat Linux).Web Server Username - the username for the web server user (default is apache on RedHat Linux).Web Server Password - hit enter, the web server user is created as a system account so it does not have a password by default onRedHat Linux.Web Server Conf Directory Path - enter the path to the folder that contains httpd.conf on RedHat Linux it will be /etc/httpd/conf

Web Server Binary Path - enter the path to the httpd binary, on RedHat Linux it will be /usr/sbin/httpdWeb Server Web Root Path - enter the path to the web root directory you created, for example: /www/File Upload Path - the lockdown installer will grant write permissions to the folder specified. If you have more than one folder, you cando this manually with chmod , for example chmod u+w /web/example.com/path-to-write-to/Alias for cf_scripts - select a path other than the defaults, not /cf_scripts and not /cf2018_scripts or /cf2021_scriptsShutdown Port - change the shutdown port to a non-default value.

Review the Lockdown Tool logs in /opt/cf2021/lockdown/cfusion/Logs (path may differ), and ensure that it states ColdFusionServer has been locked down successfully and that there are no errors.

6.7.1 Test the web server


The lockdown tool will connect ColdFusion to the Apache web server. Test a .cfm page to make sure it is working.

6.7.2 Troubleshooting the CF / Apache Connector

Test a static file (eg txt or html) to make sure that the problem is not

Take a look in the /opt/cf2021/config/wsconfig/1/mod_jk.log file.

If you see the following message , the problem could be one of a few scenarios:

(cfusion) Failed opening socket to (::1:8020) (errno=111)

(cfusion) connecting to backend failed. Tomcat is probably not started or is listening on the wrong

port (errno=111)

See the following sub sections for possible solutions.

6.7.2.1 Make sure CF is running

First it could be simply that ColdFusion is not running, you can check to see if it is running by issuing a ps -aux command or by running service cf2021 status . You can start CF by running: service cf2021 start

Though it may not be necessary, you can also restart apache service httpd restart . Test your cfm file again to see if the problempersists.

6.7.2.2 Use IPv4 instead of IPv6

Second you will notice from the error message above that apache is attempting to connect to ::1:8020 , the ::1 is the IPv6 version of localhost . You can the config to use the IPv4 version of localhost , which is 127.0.0.1 by editing the workers.properties filelocated in the /etc/httpd/conf/ directory. Change the line worker.cfusion.host=localhost to worker.cfusion.host=127.0.0.1

Restart apache service httpd restart after making this change and test your cfm file again.

6.7.2.3 Make sure Apache and ColdFusion agree on ports and secrets

In the workers.properties file look for a line that starts with worker.cfusion.port it will be set to 8020 by default.

Next check the {cf.home}/runtime/conf/server.xml file for this port number, eg:

grep 8020

It should show up in a <Connector> tag with protocol="AJP/1.3" . The value of the secret attribute in the Connector tag shouldalso match the value of the worker.cfusion.secret property in the workers.properties file.

6.7.2.4 Troubleshooting with selinux enabled

If you have selinux enabled, you may be getting a 503 error when attempting to request a cfm file.

You may need to use semanage to enable communication from the web server to tomcat.

Check and see if semanage is installed, if not run:

yum install policycoreutils-python-utils

Next try running:

semanage port -a -t http_port_t -p tcp 8020

You may get an error: ValueError: Port tcp/8020 already defined , this means that selinux already has configured a policy forthis port. You can check what is configured by using:

semanage port --list | grep 8020

It may be already configured as hadoop_namenode_port_t , assuming you are not using hadoop, you can run the following to set thetype to http_port_t :

semanage port --modify -t http_port_t -p tcp 8020

Restart apache service httpd restart after making this change and test your cfm file again.


6.8 Update JVMThe Java Virtual Machine included with the ColdFusion installer may not contain the latest java security hotfixes. You must periodicallycheck for JVM security hotfixes.

Important Note: As of 2019 Oracle no longer allows commercial use of Java without a license. However ColdFusion “Customersshall be supported on Oracle Java SE without having to contract for support directly with Oracle in order to run ColdFusion”.Details here: https://coldfusion.adobe.com/2019/01/oracle-java-support-adobe-coldfusion/

6.8.1 Using Oracle Java

Download the RPM for the latest supported LTS JRE from Adobe https://www.adobe.com/support/coldfusion/downloads.html.

Picking the correct version As of this writing Java 11 is the latest supported LTS release of Java. Java 9, 10, 12, 13, 14 and 15 are allnon LTS versions and are only supported for a short time (6 months). Learn more here: https://www.petefreitag.com/item/911.cfm

For example, to download using curl:

curl https://example/jdk-11.0.xx_linux-x64_bin.rpm -o ./jdk-11.0.xx_linux-x64_bin.rpm

Install the rpm:

rpm -ivh jre-11.0.xx_linux-x64_bin.rpm

After you run the binary the JVM is installed in /usr/java/ a symbolic link is created pointing to the latest installed version /usr/java/latest/ you point ColdFusion to this path to simplify future JVM updates.

Verify that the version of Java in /usr/java/latest/ is a version supported for ColdFusion 2021.

/usr/java/latest/bin/java -version

Tip: You will need to update Java frequently, Oracle typically releases security patches for Java on a quarterly basis. Third partytools such as https://hackmycf.com/ can help to keep you up to date.

6.8.2 Updating ColdFusion to use a new JVM Path

Locate the jvm.config file, (by default it is located in /opt/coldfusion2021/cfusion/bin/ ) and make a backup:

cp jvm.config jvm.config.backup

To update using ColdFusion Administrator: click on Server Settings > Java and JVM and then add /usr/java/latest/ to the Java VirtualMachine Path text box.

To update via shell: Edit jvm.config in a text editor to locate the line beginning with java.home= for example:

java.home=/opt/cf2021/jre

Change the above line to the following:

java.home=/usr/java/latest

Restart ColdFusion for the new JVM to take effect. Visit the System Information page of ColdFusion administrator to confirm that the JVMhas been updated. To revert to the default JVM replace jvm.config with jvm.config.backup and restart ColdFusion again.

6.8.3 Update JVM Add-On Services

If you installed the add-on services ensure that the startup script points to the updated JVM, look for the line:

SOLR_JVM="/opt/cf2021/jre"

And update it to:

SOLR_JVM="/usr/java/latest"

6.9 Auditing


https://coldfusion.adobe.com/2019/01/oracle-java-support-adobe-coldfusion/



https://hackmycf.com/

The Auto Lockdown Tool runs a command similar to this to enable auditing using auditd of file writes on the ColdFusion:

auditctl -w /opt/cf2021 -p wax -k ColdFusion

The above will audit all write, attribute change and execute operations on the path /opt/cf2021/ and tag all entries with the filter key ColdFusion .

You can query the audit log using the filter key with:

ausearch -k ColdFusion

You may notice a lot of writes to log files. Placing the log files outside of your CF directory will reduce this noise, or you could configure auditd to ignore log folders.

You may also consider setting up auditing on other important paths such as /etc/ or your web root file system.

6.10 Change umaskThe Auto Lockdown Tool attempts to set the umask, however you may see in the lockdown log file: Can’t add UMask as the init file doesn’texist! https://tracker.adobe.com/#/view/CF-4210967

To add the umask manually, edit the {cf.root}/bin/sysinit startup script and add the line near the top but below the #description comment:

umask 007

Consider setting a more restrictive umask on the group permission.

6.11 Additional Lockdown StepsRead and follow the instructions in the prior sections:

ColdFusion Package ManagementColdFusion Administrator SettingsAdditional Lockdown Measures


https://tracker.adobe.com/#/view/CF-4210967

7 Performance Monitoring Toolset SecurityConsiderations

7.1 Installing the PMTSelect a non-default path to install to. Select a non-default port numbers. Enter a username other than admin and use a strong password.

Each ColdFusion 2021 server that will be connected to the PMT server will need to have the pmtagent package installed. This can beaccomplished using the ColdFusion Administrator or the cfpm script. See ColdFusion Package Management for details.

For additional isolation consider installing the PMT on a dedicated server. The PMT Service and PMT Datastore could also be isolated todedicated servers.

7.2 ColdFusion Server Auto DiscoveryThe PMT auto discovery feature can detect ColdFusion servers over multicast (default port 46864). Ensure that your network firewall oroperating system firewall is configured to limit access accordingly.

More information about auto discovery: https://coldfusion.adobe.com/2018/07/auto-discovery/

7.3 PMT DatastoreThe PMT datastore is an ElasticSearch server. Any computer with access to the port that the PMT datastore is running on can access all thedata it contains.

Ensure that the PMT datastore is not running on the default port 9200 to 9300Ensure that a network or OS firewall has been configured to deny external access to this port.ColdFusion 2021 servers that are monitored require access to the PMT datastore port.If the PMT datastore is only connecting to a ColdFusion server on the same computer, then Configure PMT Datastore to run on localhost(see below).

7.4 Run PMT and PMT Datastore as Dedicated UserThe ColdFusion 2021 Performance Monitoring Toolset service and ColdFusion 2021 Performance Monitoring Toolset Datastore Service service run asLocal System by default.

Create two local user accounts. In this guide we will use the usernames: pmtdatastore and pmtservice however you should createunique names. Next create a user group that contains both users for example pmtgroup .

Grant read only permission to the group (eg pmtgroup ) on the Performance Monitoring Toolset installation directory (the default is C:\ColdFusion2021PerformanceMonitoringToolset or /opt/ColdFusion2021PerformanceMonitoringToolset ).

Grant Full Control (read and write) permission to the logs and config directory under the PMT installation directory to the pmtservice user account.

Grant Full Control (read and write) permission to the datastore/data and datastore/logs directory under the PMT installationdirectory to the pmtdatastore user account.

Note that the pmtservice user does not need access to the datastore subfolder, you may consider denying the pmtserviceuser access to the datastore folder.

Update the Service Log On Identity for the ColdFusion 2021 Performance Monitoring Toolset service to point to your pmtservice user.Update the Service Log On Identity for the ColdFusion 2021 Performance Monitoring Toolset Datastore service to point to your pmtserviceuser.

Restart both services.

7.5 Update PMT JVM

ColdFusion2021LockdownGuide(2021-01-29)—7PerformanceMonitoringToolsetSecurityConsiderations Page47of55

https://coldfusion.adobe.com/2018/07/auto-discovery/

Edit the jvm.config file located in the config subfolder of the PMT installation directory. Replace the following line:

java.home=C:\ColdFusion2021PerformanceMonitoringToolset\jre

With a path pointing to your current JVM, for example:

java.home=C:\Java\jdk-11.0.XX\

7.6 Configure PMT Datastore to run on localhost (if applicable)If you are only monitoring one ColdFusion Server, and are running the PMT on the same server then you can configure the PMT datastoreto run on localhost.

Backup, then edit datastore/config/elasticsearch.yml and update network.host to 127.0.0.1Backup, then edit config/application.properties and update datastore.host to 127.0.0.1Restart both the PMT Service and PMT Datastore serviceOpen the PMT Dashboard in your browser to confirm it is still running. If you have already connected your ColdFusion server to thePMT you will need to reconnect it.

7.7 Update the PMT SoftwareThe Performance Monitoring Toolkit has its own update mechanism separate from the ColdFusion server hotfix installer. Therefor whenColdFusion server hotfixes are installed, they do not update the Performance Monitoring Toolkit.

Open the PMT dashboard in a web browser and navigate to Settings > Updates. Click on the Check Updates button.

ColdFusion2021LockdownGuide(2021-01-29)—7PerformanceMonitoringToolsetSecurityConsiderations Page48of55

8 API Manager Security Considerations

8.1 Install API ManagerDownload and Run the API Manager Installer.

Consider changing ports to non-default values.

Use a dedicated partition / drive for the API manager application server files.

For maximum isolation you can install the API Manager, Data Store and Analytics Server services on separate servers. If you are installingeverything on a single server check the Data Store and Analytics Server checkboxes to install these services locally.

8.2 Connect API Manager to IISFollow section 2.2 to ensure that the required IIS role services are installed on the server. Create an empty directory for a new site in IIS, forexample d:\sites\api.example.com\wwwroot\

Create empty subfolders called portal , amp , analytics and admin .

URI Purpose Restrict

/analytics Allows publishers, subscribers andadmins to see stats related to the API use.

Restrict to admins, publishers and subscribers

/admin API Manager administrator interface. Block public access.

/amp Internal API for API Manager. Used by /portal /analytics

Restrict to admins, publishers and subscribers

/amp/admin Internal API for API Manager Admin Block Public Access

Block or restrict access to the URIs using request filtering, IP restrictions, or web server authentication.

8.3 Run API Manager as a Dedicated UserCreate a unique user for each service (for example: apimanager , apidatastore , apianalytics ) with minimal permission. Nextcreate a user group containing each service user, in this guide we will call the group apimanagers , but you should use unique usernamesand group names.

Stop all API Manager Services.

Grant readonly permission to the apimanagers group for the entire ApiManager installation root directory {api.root} (for example x:\ApiManager\ or /opt/ApiManager/ ).

Next grant read and write (Full Control) permission to the apidatastore user for the {api.root}/database/datastore/ directory.

Start the API Datastore Service.

Grant read and write (Full Control) permission to the apianalytics user for the following directories:

{api.root}/database/analytics/data/

{api.root}/database/analytics/logs/

Start the API Analytics Service

Grant read and write (Full Control) permission to the apimanager user for the following directories:

{api.root}/conf

{api.root}/logs

Start the API manager services and test.

On linux you will need to create a startup script to run each of the services as their dedicated users for example:

su apidatastore -C "/opt/ApiManager/database/datastore/redis-server

/opt/ApiManager/database/datastore/redis.conf.properties"

su apianalytics -C "/opt/apimanager/database/analytics/bin/elasticsearch"

ColdFusion2021LockdownGuide(2021-01-29)—8APIManagerSecurityConsiderations Page49of55

su apimanager -C "/opt/ApiManager/bin/start.sh"

8.4 Update the API Manager JVMLocate the jvm.config file in the bin directory, backup the file, then change the line:

java.home=..\\jre

To point to the updated JVM. Note that to use a \ in the path it must be escaped, as \\

Note: At the time of this writing the API Manager does not work with Java 11. The API Manager ships with Java 1.8 and you shoulduse the latest version of Java 1.8 or check to see if Java 11 support has been added. See https://tracker.adobe.com/#/view/CF-4210978 for reference.

8.5 Update the API Manager SoftwareThe ColdFusion API Manager has its own update mechanism separate from the ColdFusion server hotfix installer. Therefor when ColdFusionserver hotfixes are installed, they do not update the API Manager software.

Open the API Manager Administrator (http://127.0.0.1:9000/admin/ by default) in a web browser and navigate to Updates. Click on the CheckUpdates button.

ColdFusion2021LockdownGuide(2021-01-29)—8APIManagerSecurityConsiderations Page50of55

https://tracker.adobe.com/#/view/CF-4210978

9 Patch Management ProceduresStaying up to date with patches is essential to maintaining security on the server. The system administrator should monitor the vendorssecurity pages for all software in use. Most vendors have a security mailing list that will notify you by email when vulnerabilities arediscovered.

Signup for the Adobe Security Notification Service: https://www.adobe.com/subscription/adbeSecurityNotifications.html

Check the following websites frequently:

Adobe ColdFusion Security Bulletins: https://helpx.adobe.com/security/products/coldfusion.html

Microsoft Security Tech Center: https://www.microsoft.com/en-us/msrc

RedHat Security: https://www.redhat.com/security/updates/

Listing of security vulnerabilities in Apache web server: https://httpd.apache.org/security_report.html

Listing of security vulnerabilities in Tomcat: https://tomcat.apache.org/security-9.html

To keep updated with ColdFusion 2021 updates you can use the server update feature in ColdFusion administrator. Consider setting up aninstance to email you when new updates are released.

You should also consider subscribing to the ColdFusion Community Portal https://coldfusion.adobe.com/.

Finally third a third party commercial service https://hackmycf.com will let you know when relevant ColdFusion, Java, Tomcat, etcsecurity patches are released. It will also scan your server on a periodic basis and send you a report.

ColdFusion2021LockdownGuide(2021-01-29)—9PatchManagementProcedures Page51of55

https://www.adobe.com/subscription/adbeSecurityNotifications.html

https://helpx.adobe.com/security/products/coldfusion.html

https://www.microsoft.com/en-us/msrc

https://www.redhat.com/security/updates/

https://httpd.apache.org/security_report.html

https://tomcat.apache.org/security-9.html

https://coldfusion.adobe.com/

https://hackmycf.com

10 Sources of InformationSources of Information

Microsoft Security Compliance Management Toolkit: http://www.microsoft.com/downloads/details.aspx?FamilyID=5534bee1-3cad-4bf0-b92b-a8e545573a3eNSA Operating System Security Guides:http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtmlNSA Guide to Secure Configuration of Red Hat Enterprise Linux 5: http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdfTips for Securing Apache: https://www.petefreitag.com/item/505.cfmApache Security by Ivan Ristic, 2005 O’Reilly ISBN: 0-596-00724-8Tips for Secure File Uploads with ColdFusion: https://www.petefreitag.com/item/701.cfmHackMyCF.com Remote ColdFusion vulnerability scanner: https://hackmycf.com/Fixing Apache (13) Permission Denied 403 Forbidden Errors: https://www.petefreitag.com/item/793.cfmApache Tomcat 8.5 Security Considerations: https://tomcat.apache.org/tomcat-8.5-doc/security-howto.htmlGetting started with AppCmd.exe: http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexeThanks to Charlie Arehart for providing several suggestions and feedback on prior versions of the guide.Professional Microsoft IIS 8 by Schaefer, Kenneth; Cochran, Jeff; Forsyth, Scott; Glendenning, Dennis; Perkins, Benjamin. Wiley. ISBN:978-1-118-38804-4ColdFusion and SELinux: http://www.talkingtree.com/blog/index.cfm?mode=entry&entry=28ED0616-50DA-0559-A0DD2E158FF884F3ColdFusion MX with SELinux Enforcing: http://www.ghidinelli.com/2007/12/06/coldfusion-mx-with-selinux-enforcing

ColdFusion2021LockdownGuide(2021-01-29)—10SourcesofInformation Page52of55

http://www.microsoft.com/downloads/details.aspx?FamilyID=5534bee1-3cad-4bf0-b92b-a8e545573a3e

http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/

http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf



https://hackmycf.com/


https://tomcat.apache.org/tomcat-8.5-doc/security-howto.html

http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe

http://www.talkingtree.com/blog/index.cfm?mode=entry&entry=28ED0616-50DA-0559-A0DD2E158FF884F3

http://www.ghidinelli.com/2007/12/06/coldfusion-mx-with-selinux-enforcing

11 Reference Tables

11.1 Tags that use /cf_scripts/ assets

Tag URI Pattern Notes

cfajaxproxy /cf_scripts/scripts/ajax/

cfajaximport /cf_scripts/scripts/ This tag lets you override the default script srcsetting

cfautosuggest /cf_scripts/scripts/ajax/ Deprecated & Unsupported since CF2016

cfcalendar /cf_scripts/scripts/ajax/ Deprecated & Unsupported since CF2016

cfchart /cf_scripts/scripts/ajax/ /cf_scripts/scripts/chart/

cfclient /cf_scripts/cfclient/

cfdiv /cf_scripts/scripts/ajax/

cffileupload /cf_scripts/scripts/ajax/

cfform /cf_scripts/scripts/cfform.js /cf_scripts/scripts/masks.js

cfform format=flash /cf_scripts/scripts/ajax/ Deprecated since CF11, Unsupported sinceCF2016

cfform format=xml /cf_scripts/scripts/ajax/ Deprecated since CF11, Unsupported sinceCF2016

cfgrid /cf_scripts/scripts/ajax/

cfgrid format=applet /cf_scripts/classes/ Deprecated since CF11, Unsupported sinceCF2016

cfinput (autosuggest, datefield) /cf_scripts/scripts/ajax/

cflayout /cf_scripts/scripts/ajax/

cfmap /cf_scripts/scripts/ajax/

cfmediaplayer /cf_scripts/scripts/ajax/

cfmenu /cf_scripts/scripts/ajax/ Deprecated & Unsupported since CF2016

cfmessagebox /cf_scripts/scripts/ajax/

cfpod /cf_scripts/scripts/ajax/

cfprogressbar /cf_scripts/scripts/ajax/

cfslider /cf_scripts/scripts/ajax/

cfsprydataset /cf_scripts/scripts/ajax/ Deprecated since CF11, Unsupported sinceCF2016

cftextarea /cf_scripts/scripts/ajax/ /cf_scripts/scripts/ckeditor/

Consider blocking the ckeditor subfolder if youdo not use this tag because it has cfm files in it.

cftooltip /cf_scripts/scripts/ajax/

cftree /cf_scripts/scripts/ajax/ Deprecated & Unsupported since CF2016

cftree format=applet /cf_scripts/classes/ Deprecated since CF11, Unsupported sinceCF2016

cfwebsocket /cf_scripts/scripts/ajax/

cfwindow /cf_scripts/scripts/ajax/

ColdFusion2021LockdownGuide(2021-01-29)—11ReferenceTables Page53of55

12 Troubleshooting

12.1 ColdFusion cannot write files under the web rootThe Auto Lockdown tool grants the user that ColdFusion is running as read only permission to the web root. If you have files or folders thatColdFusion needs to write to, you need to give the ColdFusion user account (eg cfuser ) write permission.

On Windows, in the file explorer Right Click on the folder or file that you want ColdFusion to be able to write to, and select Properties. Go tothe Security tab and add the ColdFusion user, and grant the desired permissions.

To grant the user cfuser write permission (and ownership) of a folder on Linux:

chown -R cfuser /www/data-files/

chmod -R u+rw /www/data-files/

12.2 Requesting a cfm results in a 404 after Lockdown toolHere are two possible causes.

The IIS Application Pool .NET Framework Version may not have been set to No Managed Code.

The ColdFusion user account does not have permission to read the file.

12.3 WebSockets are not working after running lockdown toolSites that use the ColdFusion WebSocket proxy must change the .NET Framework Version in the IIS Application Pool Settings from NoManaged Code to a version of .NET that supports WebSockets (v4+).

12.4 Help Installing ColdFusion HotfixesConsult the ColdFusion Hotfix Installation Guide for troubleshooting hotfix installation issues:https://coldfusion.adobe.com/2012/12/coldfusion-hotfix-installation-guide/

ColdFusion2021LockdownGuide(2021-01-29)—12Troubleshooting Page54of55

https://coldfusion.adobe.com/2012/12/coldfusion-hotfix-installation-guide/

13 Revision HistoryVersion 1.0 - December 2020 - Initial Revision.Version 1.1 - January 2021 - Minor Updates.

ColdFusion2021LockdownGuide(2021-01-29)—13RevisionHistory Page55of55

ColdFusion 2021 Lockdown Guide - Adobe Inc.

Documents

Transcript of ColdFusion 2021 Lockdown Guide - Adobe Inc.